diff --git a/apps/blog-next/app/api/forgot-password/route.ts b/apps/blog-next/app/api/forgot-password/route.ts
index 001e7d7..a81fed6 100644
--- a/apps/blog-next/app/api/forgot-password/route.ts
+++ b/apps/blog-next/app/api/forgot-password/route.ts
@@ -1,5 +1,5 @@
 import { requestPasswordReset } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { forgotPasswordForm } from '@/lib/schemas/auth'
 
@@ -14,15 +14,12 @@ export async function POST(request: Request) {
 
   const { error } = await requestPasswordReset(submission.data)
   if (error) {
-    return Response.json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
diff --git a/apps/blog-next/app/api/login/route.ts b/apps/blog-next/app/api/login/route.ts
index 85f8ca8..019e907 100644
--- a/apps/blog-next/app/api/login/route.ts
+++ b/apps/blog-next/app/api/login/route.ts
@@ -1,5 +1,5 @@
 import { login } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { loginForm } from '@/lib/schemas/auth'
 
@@ -16,20 +16,12 @@ export async function POST(request: Request) {
 
   const { data: session, error } = await login(submission.data)
   if (error) {
-    return Response.json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
-  }
 
-  const headers = new Headers()
-  for (const cookie of session.cookies) {
-    headers.append('set-cookie', cookie)
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
@@ -40,7 +32,5 @@ export async function POST(request: Request) {
       ? session.emailVerificationRoute ?? '/verify-email'
       : '/admin',
     user: session.user,
-  }), {
-    headers,
-  })
+  }))
 }
diff --git a/apps/blog-next/app/api/logout/route.ts b/apps/blog-next/app/api/logout/route.ts
index 3be87d2..3b94ae4 100644
--- a/apps/blog-next/app/api/logout/route.ts
+++ b/apps/blog-next/app/api/logout/route.ts
@@ -1,18 +1,12 @@
 import { logout, user } from '@holo-js/auth'
 
 export async function POST() {
-  const signedOut = await logout()
-  const headers = new Headers()
-  for (const cookie of signedOut.cookies) {
-    headers.append('set-cookie', cookie)
-  }
+  await logout()
 
   return Response.json({
     ok: true,
     authenticated: false,
     message: 'Signed out successfully.',
     user: await user(),
-  }, {
-    headers,
   })
 }
diff --git a/apps/blog-next/app/api/register/route.ts b/apps/blog-next/app/api/register/route.ts
index f7c109c..01e27db 100644
--- a/apps/blog-next/app/api/register/route.ts
+++ b/apps/blog-next/app/api/register/route.ts
@@ -1,5 +1,5 @@
 import { loginUsing, register } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { registerForm } from '@/lib/schemas/auth'
 
@@ -16,23 +16,15 @@ export async function POST(request: Request) {
 
   const { data: created, error } = await register(submission.data)
   if (error) {
-    return Response.json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
-  }
 
-  const session = await loginUsing(created)
-  const headers = new Headers()
-  for (const cookie of session.cookies) {
-    headers.append('set-cookie', cookie)
+    return Response.json(failure, { status: failure.status })
   }
 
+  const session = await loginUsing(created)
   return Response.json(submission.success({
     message: session.emailVerificationRequired
       ? 'Account created. Check your inbox to verify your email address.'
@@ -43,6 +35,5 @@ export async function POST(request: Request) {
     user: session.user,
   }, 201), {
     status: 201,
-    headers,
   })
 }
diff --git a/apps/blog-next/app/api/reset-password/route.ts b/apps/blog-next/app/api/reset-password/route.ts
index 3cd5e3a..8014429 100644
--- a/apps/blog-next/app/api/reset-password/route.ts
+++ b/apps/blog-next/app/api/reset-password/route.ts
@@ -1,5 +1,5 @@
 import { resetPassword } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { resetPasswordForm } from '@/lib/schemas/auth'
 
@@ -14,15 +14,12 @@ export async function POST(request: Request) {
 
   const { error } = await resetPassword(submission.data)
   if (error) {
-    return Response.json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
diff --git a/apps/blog-next/app/api/verify-email/route.ts b/apps/blog-next/app/api/verify-email/route.ts
index 341a604..a0c552a 100644
--- a/apps/blog-next/app/api/verify-email/route.ts
+++ b/apps/blog-next/app/api/verify-email/route.ts
@@ -1,5 +1,5 @@
 import { check, verification } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { verifyEmailForm } from '@/lib/schemas/auth'
 
@@ -15,15 +15,12 @@ export async function POST(request: Request) {
   const wasAuthenticated = await check()
   const { error } = await verification.consume(submission.data.token)
   if (error) {
-    return Response.json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
diff --git a/apps/blog-next/app/auth/github/callback/route.ts b/apps/blog-next/app/auth/github/callback/route.ts
new file mode 100644
index 0000000..b3b3e24
--- /dev/null
+++ b/apps/blog-next/app/auth/github/callback/route.ts
@@ -0,0 +1,21 @@
+import { redirect } from 'next/navigation'
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+export function GET(request: Request): Promise<Response> {
+  return handleCallback(request)
+}
+
+async function handleCallback(request: Request): Promise<Response> {
+  const result = await callback('github', request)
+  if (!result.ok) {
+    return Response.json({
+      message: result.message,
+    }, {
+      status: result.status,
+    })
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  redirect('/admin')
+}
diff --git a/apps/blog-next/app/auth/github/route.ts b/apps/blog-next/app/auth/github/route.ts
new file mode 100644
index 0000000..0650a4c
--- /dev/null
+++ b/apps/blog-next/app/auth/github/route.ts
@@ -0,0 +1,5 @@
+import { redirect } from '@holo-js/auth-social'
+
+export function GET(request: Request): Promise<Response> {
+  return redirect('github', request)
+}
diff --git a/apps/blog-next/app/auth/google/callback/route.ts b/apps/blog-next/app/auth/google/callback/route.ts
new file mode 100644
index 0000000..827b3d8
--- /dev/null
+++ b/apps/blog-next/app/auth/google/callback/route.ts
@@ -0,0 +1,21 @@
+import { redirect } from 'next/navigation'
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+export function GET(request: Request): Promise<Response> {
+  return handleCallback(request)
+}
+
+async function handleCallback(request: Request): Promise<Response> {
+  const result = await callback('google', request)
+  if (!result.ok) {
+    return Response.json({
+      message: result.message,
+    }, {
+      status: result.status,
+    })
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  redirect('/admin')
+}
diff --git a/apps/blog-next/app/auth/google/route.ts b/apps/blog-next/app/auth/google/route.ts
new file mode 100644
index 0000000..5c1baa4
--- /dev/null
+++ b/apps/blog-next/app/auth/google/route.ts
@@ -0,0 +1,5 @@
+import { redirect } from '@holo-js/auth-social'
+
+export function GET(request: Request): Promise<Response> {
+  return redirect('google', request)
+}
diff --git a/apps/blog-next/app/login/page.tsx b/apps/blog-next/app/login/page.tsx
index 36914d2..2c39684 100644
--- a/apps/blog-next/app/login/page.tsx
+++ b/apps/blog-next/app/login/page.tsx
@@ -44,6 +44,11 @@ export default function LoginPage() {
         <p style={{ margin: 0, color: '#94a3b8' }}>Use your email address and password to access the admin area.</p>
       </div>
 
+      <div style={{ display: 'grid', gap: '0.65rem' }}>
+        <a href="/auth/google" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with Google</a>
+        <a href="/auth/github" style={{ color: '#e5e7eb', textDecoration: 'none' }}>Continue with GitHub</a>
+      </div>
+
       <form onSubmit={(event) => { event.preventDefault(); form.submit() }} style={{ display: 'grid', gap: '0.9rem' }}>
         <label style={{ display: 'grid', gap: '0.35rem' }}>
           <span>Email</span>
diff --git a/apps/blog-next/lib/schemas/auth.ts b/apps/blog-next/lib/schemas/auth.ts
index 0f7a314..cb5bd8e 100644
--- a/apps/blog-next/lib/schemas/auth.ts
+++ b/apps/blog-next/lib/schemas/auth.ts
@@ -2,15 +2,15 @@ import { field, schema } from '@holo-js/forms/schema'
 
 export const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
 export const registerForm = schema({
   name: field.string().required('Name is required.').min(3, 'Name must be at least 3 characters.'),
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const forgotPasswordForm = schema({
@@ -19,8 +19,8 @@ export const forgotPasswordForm = schema({
 
 export const resetPasswordForm = schema({
   token: field.string().required('Reset token is required.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const verifyEmailForm = schema({
diff --git a/apps/blog-nuxt/app/pages/login.vue b/apps/blog-nuxt/app/pages/login.vue
index baf55d5..30aa62d 100644
--- a/apps/blog-nuxt/app/pages/login.vue
+++ b/apps/blog-nuxt/app/pages/login.vue
@@ -32,6 +32,11 @@ const form = useForm(loginForm, {
       <p>Use your email address and password to access the admin area.</p>
     </div>
 
+    <div class="social-links">
+      <a href="/auth/google">Continue with Google</a>
+      <a href="/auth/github">Continue with GitHub</a>
+    </div>
+
     <form class="stack" @submit.prevent="form.submit()">
       <label class="field">
         <span>Email</span>
@@ -72,6 +77,8 @@ const form = useForm(loginForm, {
 .copy p { margin: 0; color: #94a3b8; }
 .stack, .field { display: grid; gap: 0.35rem; }
 .stack { gap: 0.9rem; }
+.social-links { display: grid; gap: 0.65rem; }
+.social-links a { color: #e5e7eb; text-decoration: none; }
 .remember, .links { display: flex; gap: 0.75rem; align-items: center; flex-wrap: wrap; }
 .error { color: #fca5a5; }
 .success { color: #86efac; }
diff --git a/apps/blog-nuxt/server/api/forgot-password.post.ts b/apps/blog-nuxt/server/api/forgot-password.post.ts
index e4512c1..0c82c33 100644
--- a/apps/blog-nuxt/server/api/forgot-password.post.ts
+++ b/apps/blog-nuxt/server/api/forgot-password.post.ts
@@ -1,5 +1,5 @@
 import { requestPasswordReset } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { forgotPasswordForm } from '#shared/schemas/auth'
 
@@ -14,14 +14,13 @@ export default defineEventHandler(async (event) => {
 
   const { error } = await requestPasswordReset(submission.data)
   if (error) {
-    setResponseStatus(event, error.status)
-    return {
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }
+    })
+
+    setResponseStatus(event, failure.status)
+    return failure
   }
 
   return submission.success({
diff --git a/apps/blog-nuxt/server/api/login.post.ts b/apps/blog-nuxt/server/api/login.post.ts
index a8062fe..c2aa095 100644
--- a/apps/blog-nuxt/server/api/login.post.ts
+++ b/apps/blog-nuxt/server/api/login.post.ts
@@ -1,5 +1,5 @@
 import { login } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { loginForm } from '#shared/schemas/auth'
 
@@ -16,17 +16,14 @@ export default defineEventHandler(async (event) => {
 
   const { data: session, error } = await login(submission.data)
   if (error) {
-    setResponseStatus(event, error.status)
-    return {
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }
-  }
+    })
 
-  event.node.res.setHeader('set-cookie', [...session.cookies])
+    setResponseStatus(event, failure.status)
+    return failure
+  }
 
   return submission.success({
     message: session.emailVerificationRequired
diff --git a/apps/blog-nuxt/server/api/logout.post.ts b/apps/blog-nuxt/server/api/logout.post.ts
index aed9bf5..cd89250 100644
--- a/apps/blog-nuxt/server/api/logout.post.ts
+++ b/apps/blog-nuxt/server/api/logout.post.ts
@@ -1,8 +1,7 @@
 import { logout, user } from '@holo-js/auth'
 
-export default defineEventHandler(async (event) => {
-  const signedOut = await logout()
-  event.node.res.setHeader('set-cookie', [...signedOut.cookies])
+export default defineEventHandler(async () => {
+  await logout()
 
   return {
     ok: true,
diff --git a/apps/blog-nuxt/server/api/register.post.ts b/apps/blog-nuxt/server/api/register.post.ts
index fc08c7e..6724432 100644
--- a/apps/blog-nuxt/server/api/register.post.ts
+++ b/apps/blog-nuxt/server/api/register.post.ts
@@ -1,5 +1,5 @@
 import { loginUsing, register } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { registerForm } from '#shared/schemas/auth'
 
@@ -16,18 +16,16 @@ export default defineEventHandler(async (event) => {
 
   const { data: created, error } = await register(submission.data)
   if (error) {
-    setResponseStatus(event, error.status)
-    return {
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }
+    })
+
+    setResponseStatus(event, failure.status)
+    return failure
   }
 
   const session = await loginUsing(created)
-  event.node.res.setHeader('set-cookie', [...session.cookies])
   setResponseStatus(event, 201)
   return submission.success({
     message: session.emailVerificationRequired
diff --git a/apps/blog-nuxt/server/api/reset-password.post.ts b/apps/blog-nuxt/server/api/reset-password.post.ts
index fca13d7..9120de1 100644
--- a/apps/blog-nuxt/server/api/reset-password.post.ts
+++ b/apps/blog-nuxt/server/api/reset-password.post.ts
@@ -1,5 +1,5 @@
 import { resetPassword } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { resetPasswordForm } from '#shared/schemas/auth'
 
@@ -14,14 +14,13 @@ export default defineEventHandler(async (event) => {
 
   const { error } = await resetPassword(submission.data)
   if (error) {
-    setResponseStatus(event, error.status)
-    return {
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }
+    })
+
+    setResponseStatus(event, failure.status)
+    return failure
   }
 
   return submission.success({
diff --git a/apps/blog-nuxt/server/api/verify-email.post.ts b/apps/blog-nuxt/server/api/verify-email.post.ts
index cd0fa96..bae608c 100644
--- a/apps/blog-nuxt/server/api/verify-email.post.ts
+++ b/apps/blog-nuxt/server/api/verify-email.post.ts
@@ -1,5 +1,5 @@
 import { check, verification } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { verifyEmailForm } from '#shared/schemas/auth'
 
@@ -15,14 +15,13 @@ export default defineEventHandler(async (event) => {
   const wasAuthenticated = await check()
   const { error } = await verification.consume(submission.data.token)
   if (error) {
-    setResponseStatus(event, error.status)
-    return {
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }
+    })
+
+    setResponseStatus(event, failure.status)
+    return failure
   }
 
   return submission.success({
diff --git a/apps/blog-nuxt/server/lib/request.ts b/apps/blog-nuxt/server/lib/request.ts
new file mode 100644
index 0000000..889bd9a
--- /dev/null
+++ b/apps/blog-nuxt/server/lib/request.ts
@@ -0,0 +1,15 @@
+import { getHeaders, getRequestURL, type H3Event } from 'h3'
+
+export function toWebRequest(event: H3Event): Request {
+  const headers = new Headers()
+  for (const [key, value] of Object.entries(getHeaders(event))) {
+    if (typeof value === 'string') {
+      headers.set(key, value)
+    }
+  }
+
+  return new Request(getRequestURL(event), {
+    method: event.method,
+    headers,
+  })
+}
diff --git a/apps/blog-nuxt/server/routes/auth/github.get.ts b/apps/blog-nuxt/server/routes/auth/github.get.ts
new file mode 100644
index 0000000..a760090
--- /dev/null
+++ b/apps/blog-nuxt/server/routes/auth/github.get.ts
@@ -0,0 +1,7 @@
+import { redirect } from '@holo-js/auth-social'
+
+import { toWebRequest } from '../../lib/request'
+
+export default defineEventHandler((event) => {
+  return redirect('github', toWebRequest(event))
+})
diff --git a/apps/blog-nuxt/server/routes/auth/github/callback.get.ts b/apps/blog-nuxt/server/routes/auth/github/callback.get.ts
new file mode 100644
index 0000000..f65c483
--- /dev/null
+++ b/apps/blog-nuxt/server/routes/auth/github/callback.get.ts
@@ -0,0 +1,15 @@
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+import { toWebRequest } from '../../../lib/request'
+
+export default defineEventHandler(async (event) => {
+  const result = await callback('github', toWebRequest(event))
+  if (!result.ok) {
+    setResponseStatus(event, result.status)
+    return { message: result.message }
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  return sendRedirect(event, '/admin', 303)
+})
diff --git a/apps/blog-nuxt/server/routes/auth/google.get.ts b/apps/blog-nuxt/server/routes/auth/google.get.ts
new file mode 100644
index 0000000..8655171
--- /dev/null
+++ b/apps/blog-nuxt/server/routes/auth/google.get.ts
@@ -0,0 +1,7 @@
+import { redirect } from '@holo-js/auth-social'
+
+import { toWebRequest } from '../../lib/request'
+
+export default defineEventHandler((event) => {
+  return redirect('google', toWebRequest(event))
+})
diff --git a/apps/blog-nuxt/server/routes/auth/google/callback.get.ts b/apps/blog-nuxt/server/routes/auth/google/callback.get.ts
new file mode 100644
index 0000000..6f91a70
--- /dev/null
+++ b/apps/blog-nuxt/server/routes/auth/google/callback.get.ts
@@ -0,0 +1,15 @@
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+import { toWebRequest } from '../../../lib/request'
+
+export default defineEventHandler(async (event) => {
+  const result = await callback('google', toWebRequest(event))
+  if (!result.ok) {
+    setResponseStatus(event, result.status)
+    return { message: result.message }
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  return sendRedirect(event, '/admin', 303)
+})
diff --git a/apps/blog-nuxt/shared/schemas/auth.ts b/apps/blog-nuxt/shared/schemas/auth.ts
index 0f7a314..cb5bd8e 100644
--- a/apps/blog-nuxt/shared/schemas/auth.ts
+++ b/apps/blog-nuxt/shared/schemas/auth.ts
@@ -2,15 +2,15 @@ import { field, schema } from '@holo-js/forms/schema'
 
 export const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
 export const registerForm = schema({
   name: field.string().required('Name is required.').min(3, 'Name must be at least 3 characters.'),
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const forgotPasswordForm = schema({
@@ -19,8 +19,8 @@ export const forgotPasswordForm = schema({
 
 export const resetPasswordForm = schema({
   token: field.string().required('Reset token is required.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const verifyEmailForm = schema({
diff --git a/apps/blog-sveltekit/src/lib/schemas/auth.ts b/apps/blog-sveltekit/src/lib/schemas/auth.ts
index 0f7a314..cb5bd8e 100644
--- a/apps/blog-sveltekit/src/lib/schemas/auth.ts
+++ b/apps/blog-sveltekit/src/lib/schemas/auth.ts
@@ -2,15 +2,15 @@ import { field, schema } from '@holo-js/forms/schema'
 
 export const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
 export const registerForm = schema({
   name: field.string().required('Name is required.').min(3, 'Name must be at least 3 characters.'),
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const forgotPasswordForm = schema({
@@ -19,8 +19,8 @@ export const forgotPasswordForm = schema({
 
 export const resetPasswordForm = schema({
   token: field.string().required('Reset token is required.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.').confirmed(),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 
 export const verifyEmailForm = schema({
diff --git a/apps/blog-sveltekit/src/routes/api/forgot-password/+server.ts b/apps/blog-sveltekit/src/routes/api/forgot-password/+server.ts
index 59c1f06..93b3042 100644
--- a/apps/blog-sveltekit/src/routes/api/forgot-password/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/forgot-password/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit'
 import { requestPasswordReset } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { forgotPasswordForm } from '$lib/schemas/auth'
 
@@ -15,15 +15,12 @@ export async function POST({ request }: { request: Request }) {
 
   const { error } = await requestPasswordReset(submission.data)
   if (error) {
-    return json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return json(failure, { status: failure.status })
   }
 
   return json(submission.success({
diff --git a/apps/blog-sveltekit/src/routes/api/login/+server.ts b/apps/blog-sveltekit/src/routes/api/login/+server.ts
index c25a103..6ba0dd3 100644
--- a/apps/blog-sveltekit/src/routes/api/login/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/login/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit'
 import { login } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { loginForm } from '$lib/schemas/auth'
 
@@ -17,20 +17,12 @@ export async function POST({ request }: { request: Request }) {
 
   const { data: session, error } = await login(submission.data)
   if (error) {
-    return json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
-  }
 
-  const headers = new Headers()
-  for (const cookie of session.cookies) {
-    headers.append('set-cookie', cookie)
+    return json(failure, { status: failure.status })
   }
 
   return json(submission.success({
@@ -41,7 +33,5 @@ export async function POST({ request }: { request: Request }) {
       ? session.emailVerificationRoute ?? '/verify-email'
       : '/admin',
     user: session.user,
-  }), {
-    headers,
-  })
+  }))
 }
diff --git a/apps/blog-sveltekit/src/routes/api/logout/+server.ts b/apps/blog-sveltekit/src/routes/api/logout/+server.ts
index b628d5c..40833fe 100644
--- a/apps/blog-sveltekit/src/routes/api/logout/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/logout/+server.ts
@@ -2,18 +2,12 @@ import { json } from '@sveltejs/kit'
 import { logout, user } from '@holo-js/auth'
 
 export async function POST() {
-  const signedOut = await logout()
-  const headers = new Headers()
-  for (const cookie of signedOut.cookies) {
-    headers.append('set-cookie', cookie)
-  }
+  await logout()
 
   return json({
     ok: true,
     authenticated: false,
     message: 'Signed out successfully.',
     user: await user(),
-  }, {
-    headers,
   })
 }
diff --git a/apps/blog-sveltekit/src/routes/api/register/+server.ts b/apps/blog-sveltekit/src/routes/api/register/+server.ts
index 05b6e58..b029d84 100644
--- a/apps/blog-sveltekit/src/routes/api/register/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/register/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit'
 import { loginUsing, register } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { registerForm } from '$lib/schemas/auth'
 
@@ -17,23 +17,15 @@ export async function POST({ request }: { request: Request }) {
 
   const { data: created, error } = await register(submission.data)
   if (error) {
-    return json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
-  }
 
-  const session = await loginUsing(created)
-  const headers = new Headers()
-  for (const cookie of session.cookies) {
-    headers.append('set-cookie', cookie)
+    return json(failure, { status: failure.status })
   }
 
+  const session = await loginUsing(created)
   return json(submission.success({
     message: session.emailVerificationRequired
       ? 'Account created. Check your inbox to verify your email address.'
@@ -44,6 +36,5 @@ export async function POST({ request }: { request: Request }) {
     user: session.user,
   }, 201), {
     status: 201,
-    headers,
   })
 }
diff --git a/apps/blog-sveltekit/src/routes/api/reset-password/+server.ts b/apps/blog-sveltekit/src/routes/api/reset-password/+server.ts
index 288fb9b..cacde60 100644
--- a/apps/blog-sveltekit/src/routes/api/reset-password/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/reset-password/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit'
 import { resetPassword } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { resetPasswordForm } from '$lib/schemas/auth'
 
@@ -15,15 +15,12 @@ export async function POST({ request }: { request: Request }) {
 
   const { error } = await resetPassword(submission.data)
   if (error) {
-    return json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return json(failure, { status: failure.status })
   }
 
   return json(submission.success({
diff --git a/apps/blog-sveltekit/src/routes/api/verify-email/+server.ts b/apps/blog-sveltekit/src/routes/api/verify-email/+server.ts
index 26ac9fc..48d3e75 100644
--- a/apps/blog-sveltekit/src/routes/api/verify-email/+server.ts
+++ b/apps/blog-sveltekit/src/routes/api/verify-email/+server.ts
@@ -1,6 +1,6 @@
 import { json } from '@sveltejs/kit'
 import { check, verification } from '@holo-js/auth'
-import { sanitizeFlashedInput, validate } from '@holo-js/forms'
+import { validate } from '@holo-js/forms'
 
 import { verifyEmailForm } from '$lib/schemas/auth'
 
@@ -17,15 +17,12 @@ export async function POST({ request }: { request: Request }) {
   const verificationResult = verification.consume(submission.data.token)
   const [wasAuthenticated, { error }] = await Promise.all([authenticationCheck, verificationResult])
   if (error) {
-    return json({
-      ok: false as const,
+    const failure = submission.fail({
       status: error.status,
-      valid: false as const,
-      values: sanitizeFlashedInput(submission.values),
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return json(failure, { status: failure.status })
   }
 
   return json(submission.success({
diff --git a/apps/blog-sveltekit/src/routes/auth/github/+server.ts b/apps/blog-sveltekit/src/routes/auth/github/+server.ts
new file mode 100644
index 0000000..bcc3c3c
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/auth/github/+server.ts
@@ -0,0 +1,5 @@
+import { redirect } from '@holo-js/auth-social'
+
+export function GET({ request }: { request: Request }): Promise<Response> {
+  return redirect('github', request)
+}
diff --git a/apps/blog-sveltekit/src/routes/auth/github/callback/+server.ts b/apps/blog-sveltekit/src/routes/auth/github/callback/+server.ts
new file mode 100644
index 0000000..1692d7f
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/auth/github/callback/+server.ts
@@ -0,0 +1,21 @@
+import { json, redirect } from '@sveltejs/kit'
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+export function GET({ request }: { request: Request }): Promise<Response> {
+  return handleCallback(request)
+}
+
+async function handleCallback(request: Request): Promise<Response> {
+  const result = await callback('github', request)
+  if (!result.ok) {
+    return json({
+      message: result.message,
+    }, {
+      status: result.status,
+    })
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  throw redirect(303, '/admin')
+}
diff --git a/apps/blog-sveltekit/src/routes/auth/google/+server.ts b/apps/blog-sveltekit/src/routes/auth/google/+server.ts
new file mode 100644
index 0000000..1b0b63a
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/auth/google/+server.ts
@@ -0,0 +1,6 @@
+import { redirect } from '@holo-js/auth-social'
+import type { RequestHandler } from './$types'
+
+export const GET: RequestHandler = async ({ request }) => {
+  return redirect('google', request)
+}
diff --git a/apps/blog-sveltekit/src/routes/auth/google/callback/+server.ts b/apps/blog-sveltekit/src/routes/auth/google/callback/+server.ts
new file mode 100644
index 0000000..313ee02
--- /dev/null
+++ b/apps/blog-sveltekit/src/routes/auth/google/callback/+server.ts
@@ -0,0 +1,21 @@
+import { json, redirect } from '@sveltejs/kit'
+import auth from '@holo-js/auth'
+import { callback } from '@holo-js/auth-social'
+
+export function GET({ request }: { request: Request }): Promise<Response> {
+  return handleCallback(request)
+}
+
+async function handleCallback(request: Request): Promise<Response> {
+  const result = await callback('google', request)
+  if (!result.ok) {
+    return json({
+      message: result.message,
+    }, {
+      status: result.status,
+    })
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  throw redirect(303, '/admin')
+}
diff --git a/apps/blog-sveltekit/src/routes/login/+page.svelte b/apps/blog-sveltekit/src/routes/login/+page.svelte
index c012207..8a3523e 100644
--- a/apps/blog-sveltekit/src/routes/login/+page.svelte
+++ b/apps/blog-sveltekit/src/routes/login/+page.svelte
@@ -27,6 +27,11 @@
     <p>Use your email address and password to access the admin area.</p>
   </div>
 
+  <div class="social-links">
+    <a href="/auth/google">Continue with Google</a>
+    <a href="/auth/github">Continue with GitHub</a>
+  </div>
+
   <form class="stack" on:submit={(event) => { event.preventDefault(); form.submit() }}>
     <label class="field">
       <span>Email</span>
@@ -89,6 +94,8 @@
   .copy p { margin: 0; color: #94a3b8; }
   .stack, .field { display: grid; gap: 0.35rem; }
   .stack { gap: 0.9rem; }
+  .social-links { display: grid; gap: 0.65rem; }
+  .social-links a { color: #e5e7eb; text-decoration: none; }
   .remember, .links { display: flex; gap: 0.75rem; align-items: center; flex-wrap: wrap; }
   .error { color: #fca5a5; }
   .success { color: #86efac; }
diff --git a/apps/docs/docs/auth/index.md b/apps/docs/docs/auth/index.md
index 450dde6..7e46184 100644
--- a/apps/docs/docs/auth/index.md
+++ b/apps/docs/docs/auth/index.md
@@ -122,65 +122,61 @@ export default defineSessionConfig({
 })
 ```
 
-Then use auth operations inside your own routes:
+Then use auth operations inside your own routes. With `@holo-js/forms`, failed values are sanitized
+by the form schema before they are sent back to the client:
 
 ```ts
 import { login, logout, refreshUser, register, user } from '@holo-js/auth'
+import { field, schema, validate } from '@holo-js/forms'
 
-function sanitizeAuthBody(body: Record<string, unknown>) {
-  const sanitizedBody = { ...body }
-  delete sanitizedBody.password
-  delete sanitizedBody.passwordConfirmation
-  delete sanitizedBody.confirmPassword
-  delete sanitizedBody.currentPassword
-  delete sanitizedBody.newPassword
-  delete sanitizedBody.token
+const registerForm = schema({
+  name: field.string().required(),
+  email: field.string().required().email(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
+})
 
-  return sanitizedBody
-}
+const loginForm = schema({
+  email: field.string().required().email(),
+  password: field.password().required(),
+  remember: field.boolean().default(false),
+})
 
 export async function POST(request: Request) {
-  const body = await request.json()
-  const sanitizedBody = sanitizeAuthBody(body)
-
-  const { data: created, error: registerError } = await register({
-    name: body.name,
-    email: body.email,
-    password: body.password,
-    passwordConfirmation: body.passwordConfirmation,
-  })
+  const submission = await validate(request, registerForm)
+  if (!submission.valid) {
+    return Response.json(submission.fail(), { status: submission.fail().status })
+  }
+
+  const { data: created, error: registerError } = await register(submission.data)
 
   if (registerError) {
-    return Response.json({
-      ok: false,
+    const failure = submission.fail({
       status: registerError.status,
-      valid: false,
-      values: sanitizedBody,
       errors: registerError.fields,
-    }, { status: registerError.status })
+    })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(created, { status: 201 })
 }
 
 export async function PUT(request: Request) {
-  const body = await request.json()
-  const sanitizedBody = sanitizeAuthBody(body)
+  const submission = await validate(request, loginForm)
+  if (!submission.valid) {
+    return Response.json(submission.fail(), { status: submission.fail().status })
+  }
 
-  const { data: session, error } = await login({
-    email: body.email,
-    password: body.password,
-    remember: body.remember === true,
-  })
+  const { data: session, error } = await login(submission.data)
 
   if (error) {
-    return Response.json({
-      ok: false,
+    const failure = submission.fail({
       status: error.status,
-      valid: false,
-      values: sanitizedBody,
       errors: error.fields,
-    }, { status: error.status })
+    })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json({
@@ -404,19 +400,17 @@ Successful auth calls put the result in `data`. Expected auth failures come back
 }
 ```
 
-That means your route can forward auth failures directly without any helper layer:
+That means a form-backed route can forward auth failures through the submission object. The forms
+package keeps sensitive values out of the response:
 
 ```ts
-const sanitizedBody = sanitizeAuthBody(body)
-
 if (error) {
-  return Response.json({
-    ok: false,
+  const failure = submission.fail({
     status: error.status,
-    valid: false,
-    values: sanitizedBody,
     errors: error.fields,
-  }, { status: error.status })
+  })
+
+  return Response.json(failure, { status: failure.status })
 }
 ```
 
diff --git a/apps/docs/docs/auth/local-auth.md b/apps/docs/docs/auth/local-auth.md
index 6a9a432..24ecdff 100644
--- a/apps/docs/docs/auth/local-auth.md
+++ b/apps/docs/docs/auth/local-auth.md
@@ -425,23 +425,28 @@ Your framework route owns parsing and response formatting. The auth package only
 
 ```ts
 import { login } from '@holo-js/auth'
+import { field, schema, validate } from '@holo-js/forms'
+
+const loginForm = schema({
+  email: field.string().required().email(),
+  password: field.password().required(),
+})
 
 export async function POST(request: Request) {
-  const body = await request.json()
+  const submission = await validate(request, loginForm)
+  if (!submission.valid) {
+    return Response.json(submission.fail(), { status: submission.fail().status })
+  }
 
-  const { data: session, error } = await login({
-    email: body.email,
-    password: body.password,
-  })
+  const { data: session, error } = await login(submission.data)
 
   if (error) {
-    return Response.json({
-      ok: false,
+    const failure = submission.fail({
       status: error.status,
-      valid: false,
-      values: body,
       errors: error.fields,
-    }, { status: error.status })
+    })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json({
diff --git a/apps/docs/docs/auth/social-login.md b/apps/docs/docs/auth/social-login.md
index 4522096..8179faf 100644
--- a/apps/docs/docs/auth/social-login.md
+++ b/apps/docs/docs/auth/social-login.md
@@ -66,9 +66,9 @@ import { defineAuthConfig } from '@holo-js/config'
 export default defineAuthConfig({
   social: {
     google: {
-      clientId: process.env.GOOGLE_CLIENT_ID,
-      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
-      redirectUri: 'https://app.example.com/auth/google/callback',
+      clientId: process.env.AUTH_GOOGLE_CLIENT_ID,
+      clientSecret: process.env.AUTH_GOOGLE_CLIENT_SECRET,
+      redirectUri: process.env.AUTH_GOOGLE_REDIRECT_URI,
       scopes: ['openid', 'email', 'profile'],
       guard: 'web',
     },
@@ -76,6 +76,11 @@ export default defineAuthConfig({
 })
 ```
 
+The route the user clicks is the start route, for example `/auth/google`.
+
+The URL registered with the provider is the redirect URI, for example `/auth/google/callback`. This is the URL Google
+calls the "Authorized redirect URI", and it is the same value you put in `AUTH_GOOGLE_REDIRECT_URI`.
+
 Provider keys map to first-party packages:
 
 - `google` -> `@holo-js/auth-social-google`
@@ -168,19 +173,48 @@ Typical route shapes:
 - `GET /auth/github`
 - `GET /auth/github/callback`
 
+For a local app running on `http://localhost:3000`, put this in the provider dashboard:
+
+```text
+http://localhost:3000/auth/google/callback
+http://localhost:3000/auth/github/callback
+```
+
+And put the same redirect URIs in your app env:
+
+```ini
+AUTH_GOOGLE_REDIRECT_URI=http://localhost:3000/auth/google/callback
+AUTH_GITHUB_REDIRECT_URI=http://localhost:3000/auth/github/callback
+```
+
 ## Handling The Callback
 
 ```ts
+import { redirect } from 'next/navigation'
+import auth from '@holo-js/auth'
 import { callback } from '@holo-js/auth-social'
 
 export async function GET(request: Request) {
-  return callback('google', request)
+  const result = await callback('google', request)
+  if (!result.ok) {
+    return Response.json({
+      message: result.message,
+    }, {
+      status: result.status,
+    })
+  }
+
+  await auth.guard(result.guard).loginUsing(result.user)
+  redirect('/admin')
 }
 ```
 
 The callback route should receive the upstream `code` and `state` values, then pass the full request through to Holo.
 Holo validates the state, verifies PKCE when that provider flow uses it, exchanges the authorization code, links the
-identity, and establishes the local session.
+identity, and returns the local user.
+
+Use `loginUsing()` when the selected guard is session-based, then redirect with your framework's native redirect API.
+Token guard flows can create a token from the returned user instead of creating a session.
 
 The callback flow:
 
@@ -190,7 +224,8 @@ The callback flow:
 - loads the provider profile
 - resolves or creates a local user
 - links the social identity
-- establishes a local authenticated session
+- establishes a local session when using a session guard with `loginUsing()`, or returns an authenticated user that
+  token guards can use to create an access token
 
 Each provider package handles its own upstream field mapping. Holo does not guess raw provider response shapes across
 different services.
diff --git a/apps/docs/docs/forms/client-usage.md b/apps/docs/docs/forms/client-usage.md
index abebc2c..c49b876 100644
--- a/apps/docs/docs/forms/client-usage.md
+++ b/apps/docs/docs/forms/client-usage.md
@@ -23,8 +23,8 @@ import { field, schema } from '@holo-js/forms'
 export const registerUser = schema({
   name: field.string().required('Name is required.').min(3, 'Name must be at least 3 characters.'),
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
-  passwordConfirmation: field.string().required('Please confirm your password.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  passwordConfirmation: field.password().required('Please confirm your password.'),
 })
 ```
 
diff --git a/apps/docs/docs/forms/framework-integration.md b/apps/docs/docs/forms/framework-integration.md
index f3e6cc7..6f08f11 100644
--- a/apps/docs/docs/forms/framework-integration.md
+++ b/apps/docs/docs/forms/framework-integration.md
@@ -19,7 +19,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export async function POST(request: Request) {
@@ -43,7 +43,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export default defineEventHandler(async (event) => {
@@ -66,7 +66,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export const actions = {
@@ -93,7 +93,7 @@ import { User } from '$lib/server/models'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export const login = form(loginForm, async (data, invalid) => {
diff --git a/apps/docs/docs/forms/index.md b/apps/docs/docs/forms/index.md
index a539f7e..fafc846 100644
--- a/apps/docs/docs/forms/index.md
+++ b/apps/docs/docs/forms/index.md
@@ -27,8 +27,9 @@ import { field, schema } from '@holo-js/forms'
 export const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8).confirmed(),
-  passwordConfirmation: field.string().required(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
+  nationalId: field.string().sensitive().optional(),
   avatar: field.file().optional().image().maxSize('2mb'),
   newsletter: field.boolean().default(false),
 })
diff --git a/apps/docs/docs/forms/server-validation.md b/apps/docs/docs/forms/server-validation.md
index f3ef576..f62cfd8 100644
--- a/apps/docs/docs/forms/server-validation.md
+++ b/apps/docs/docs/forms/server-validation.md
@@ -10,6 +10,10 @@ validation as optional enhancement.
 The browser submits a form, the server validates it, and the response returns either `submission.fail()`
 or `submission.success(...)`.
 
+Use `field.password()` for password values and `.sensitive()` for any other submitted value that must
+never be flashed back to the client. `submission.fail()` and `submission.serialize()` remove those
+fields automatically.
+
 ::: code-group
 
 ```ts [Next.js — app/api/login/route.ts]
@@ -17,7 +21,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
@@ -46,7 +50,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
@@ -72,7 +76,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required('Email is required.').email('Enter a valid email address.'),
-  password: field.string().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
+  password: field.password().required('Password is required.').min(8, 'Password must be at least 8 characters.'),
   remember: field.boolean().default(false),
 })
 
@@ -119,7 +123,7 @@ import { User } from '$lib/server/models'
 
 const loginSchema = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export const login = form(loginSchema, async (data, invalid) => {
@@ -470,6 +474,8 @@ When validation fails, `submission.fail()` returns:
 }
 ```
 
+Password fields and fields marked with `.sensitive()` are omitted from `values`.
+
 ## Success response shape
 
 On success:
@@ -509,8 +515,8 @@ import { field, schema, validate } from '@holo-js/forms'
 export const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8).confirmed(),
-  passwordConfirmation: field.string().required(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
 })
 
 export async function POST(request: Request) {
@@ -537,8 +543,8 @@ import { field, schema, validate } from '@holo-js/forms'
 const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8).confirmed(),
-  passwordConfirmation: field.string().required(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
 })
 
 export default defineEventHandler(async (event) => {
@@ -564,8 +570,8 @@ import { field, schema, validate } from '@holo-js/forms'
 const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8).confirmed(),
-  passwordConfirmation: field.string().required(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
 })
 
 export const actions = {
@@ -594,7 +600,7 @@ import { User } from '$lib/server/models'
 const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export const register = form(registerUser, async (data, invalid) => {
diff --git a/apps/docs/docs/security.md b/apps/docs/docs/security.md
index 09f2726..501854e 100644
--- a/apps/docs/docs/security.md
+++ b/apps/docs/docs/security.md
@@ -127,7 +127,7 @@ import { login } from '@holo-js/auth'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export async function POST(request: Request) {
@@ -144,15 +144,12 @@ export async function POST(request: Request) {
 
   const { error } = await login(submission.data)
   if (error) {
-    return Response.json({
-      ok: false,
+    const failure = submission.fail({
       status: error.status,
-      valid: false,
-      values: submission.values,
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
@@ -170,8 +167,8 @@ import { register } from '@holo-js/auth'
 const registerUser = schema({
   name: field.string().required().min(3).max(255),
   email: field.string().required().email(),
-  password: field.string().required().min(8).confirmed(),
-  passwordConfirmation: field.string().required(),
+  password: field.password().required().min(8).confirmed(),
+  passwordConfirmation: field.password().required(),
 })
 
 export async function POST(request: Request) {
@@ -188,15 +185,12 @@ export async function POST(request: Request) {
 
   const { error } = await register(submission.data)
   if (error) {
-    return Response.json({
-      ok: false,
+    const failure = submission.fail({
       status: error.status,
-      valid: false,
-      values: submission.values,
       errors: error.fields,
-    }, {
-      status: error.status,
     })
+
+    return Response.json(failure, { status: failure.status })
   }
 
   return Response.json(submission.success({
@@ -444,7 +438,7 @@ import { field, schema, validate } from '@holo-js/forms'
 
 const loginForm = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 
 export default defineEventHandler(async (event) => {
diff --git a/apps/docs/docs/validation/index.md b/apps/docs/docs/validation/index.md
index 8b0b3c6..99ec579 100644
--- a/apps/docs/docs/validation/index.md
+++ b/apps/docs/docs/validation/index.md
@@ -46,7 +46,7 @@ import { field, schema, validate } from '@holo-js/validation'
 
 const createSession = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
   remember: field.boolean().default(false),
 })
 
diff --git a/apps/docs/docs/validation/rules-and-errors.md b/apps/docs/docs/validation/rules-and-errors.md
index 3de0aba..eace401 100644
--- a/apps/docs/docs/validation/rules-and-errors.md
+++ b/apps/docs/docs/validation/rules-and-errors.md
@@ -18,7 +18,7 @@ const registerUser = schema({
   email: field.string()
     .required('Email is required.')
     .email('Enter a valid email address.'),
-  password: field.string()
+  password: field.password()
     .min(8, 'Password must be at least 8 characters.'),
   birthday: field.date()
     .beforeOrToday('Birthday cannot be in the future.'),
@@ -44,7 +44,7 @@ import { field, schema } from '@holo-js/validation'
 
 const registerUser = schema({
   email: field.string().required().email(),
-  password: field.string().required().min(8),
+  password: field.password().required().min(8),
 })
 ```
 
diff --git a/packages/adapter-next/src/config.ts b/packages/adapter-next/src/config.ts
index 53a58c9..12c50a9 100644
--- a/packages/adapter-next/src/config.ts
+++ b/packages/adapter-next/src/config.ts
@@ -1,3 +1,6 @@
+import { existsSync, readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+
 const HOLO_SERVER_EXTERNAL_PACKAGES = [
   '@holo-js/core',
   '@holo-js/adapter-next',
@@ -6,6 +9,43 @@ const HOLO_SERVER_EXTERNAL_PACKAGES = [
   'esbuild',
 ]
 
+const HOLO_OPTIONAL_SERVER_EXTERNAL_PACKAGES = [
+  '@holo-js/auth',
+  '@holo-js/auth-clerk',
+  '@holo-js/auth-social',
+  '@holo-js/auth-social-apple',
+  '@holo-js/auth-social-discord',
+  '@holo-js/auth-social-facebook',
+  '@holo-js/auth-social-github',
+  '@holo-js/auth-social-google',
+  '@holo-js/auth-social-linkedin',
+  '@holo-js/auth-workos',
+  '@holo-js/authorization',
+  '@holo-js/broadcast',
+  '@holo-js/cache',
+  '@holo-js/cache-db',
+  '@holo-js/cache-redis',
+  '@holo-js/events',
+  '@holo-js/forms',
+  '@holo-js/mail',
+  '@holo-js/notifications',
+  '@holo-js/queue',
+  '@holo-js/queue-db',
+  '@holo-js/queue-redis',
+  '@holo-js/security',
+  '@holo-js/session',
+  '@holo-js/storage',
+  '@holo-js/storage-s3',
+  '@holo-js/validation',
+] as const
+
+interface PackageJson {
+  readonly dependencies?: Readonly<Record<string, string>>
+  readonly devDependencies?: Readonly<Record<string, string>>
+  readonly peerDependencies?: Readonly<Record<string, string>>
+  readonly optionalDependencies?: Readonly<Record<string, string>>
+}
+
 interface TurbopackIgnoreIssueRule {
   readonly path: string | RegExp
   readonly title?: string | RegExp
@@ -24,10 +64,60 @@ interface NextConfig {
   readonly [key: string]: unknown
 }
 
+function isStringRecord(value: unknown): value is Readonly<Record<string, string>> {
+  if (!value || typeof value !== 'object' || Array.isArray(value)) {
+    return false
+  }
+
+  return Object.values(value).every(entry => typeof entry === 'string')
+}
+
+function readPackageJson(projectRoot: string): PackageJson | undefined {
+  const packageJsonPath = resolve(projectRoot, 'package.json')
+  if (!existsSync(packageJsonPath)) {
+    return undefined
+  }
+
+  let parsed: unknown
+  try {
+    parsed = JSON.parse(readFileSync(packageJsonPath, 'utf8')) as unknown
+  } catch {
+    return undefined
+  }
+
+  if (!parsed || typeof parsed !== 'object' || Array.isArray(parsed)) {
+    return undefined
+  }
+
+  return {
+    ...('dependencies' in parsed && isStringRecord(parsed.dependencies) ? { dependencies: parsed.dependencies } : {}),
+    ...('devDependencies' in parsed && isStringRecord(parsed.devDependencies) ? { devDependencies: parsed.devDependencies } : {}),
+    ...('peerDependencies' in parsed && isStringRecord(parsed.peerDependencies) ? { peerDependencies: parsed.peerDependencies } : {}),
+    ...('optionalDependencies' in parsed && isStringRecord(parsed.optionalDependencies) ? { optionalDependencies: parsed.optionalDependencies } : {}),
+  }
+}
+
+function hasPackage(packageJson: PackageJson, packageName: string): boolean {
+  return packageJson.dependencies?.[packageName] !== undefined
+    || packageJson.devDependencies?.[packageName] !== undefined
+    || packageJson.peerDependencies?.[packageName] !== undefined
+    || packageJson.optionalDependencies?.[packageName] !== undefined
+}
+
+function resolveInstalledOptionalServerExternalPackages(projectRoot: string): readonly string[] {
+  const packageJson = readPackageJson(projectRoot)
+  if (!packageJson) {
+    return []
+  }
+
+  return HOLO_OPTIONAL_SERVER_EXTERNAL_PACKAGES.filter(packageName => hasPackage(packageJson, packageName))
+}
+
 export function withHolo<TConfig extends NextConfig>(nextConfig: TConfig = {} as TConfig): TConfig {
   const existingExternal = nextConfig.serverExternalPackages ?? []
+  const optionalExternal = resolveInstalledOptionalServerExternalPackages(process.cwd())
   const mergedExternal = [
-    ...new Set([...HOLO_SERVER_EXTERNAL_PACKAGES, ...existingExternal]),
+    ...new Set([...HOLO_SERVER_EXTERNAL_PACKAGES, ...optionalExternal, ...existingExternal]),
   ]
 
   const existingExcludes = nextConfig.outputFileTracingExcludes ?? {}
diff --git a/packages/adapter-next/src/runtime.ts b/packages/adapter-next/src/runtime.ts
index 84721a1..1c27f26 100644
--- a/packages/adapter-next/src/runtime.ts
+++ b/packages/adapter-next/src/runtime.ts
@@ -8,6 +8,98 @@ export type NextHoloRuntimeOptions = CreateHoloOptions & {
   readonly projectRoot: string
 }
 
+type ResponseCookieOptions = {
+  path?: string
+  domain?: string
+  maxAge?: number
+  expires?: Date
+  secure?: boolean
+  httpOnly?: boolean
+  sameSite?: 'lax' | 'strict' | 'none'
+  partitioned?: boolean
+}
+
+type ParsedResponseCookie = {
+  readonly name: string
+  readonly value: string
+  readonly options: ResponseCookieOptions
+}
+
+type MutableNextCookieStore = {
+  set(name: string, value: string, options?: ResponseCookieOptions): void
+}
+
+function safeDecodeCookieSegment(value: string): string {
+  try {
+    return decodeURIComponent(value)
+  } catch {
+    return value
+  }
+}
+
+function parseResponseCookie(cookie: string): ParsedResponseCookie | null {
+  const [nameValue, ...attributes] = cookie.split(';')
+  const separator = nameValue?.indexOf('=') ?? -1
+  if (!nameValue || separator <= 0) {
+    return null
+  }
+
+  const options: ResponseCookieOptions = {}
+  for (const rawAttribute of attributes) {
+    const attribute = rawAttribute.trim()
+    if (!attribute) {
+      continue
+    }
+
+    const attributeSeparator = attribute.indexOf('=')
+    const key = (attributeSeparator === -1 ? attribute : attribute.slice(0, attributeSeparator)).trim().toLowerCase()
+    const value = attributeSeparator === -1 ? '' : attribute.slice(attributeSeparator + 1).trim()
+
+    switch (key) {
+      case 'path':
+        options.path = value
+        break
+      case 'domain':
+        options.domain = value
+        break
+      case 'max-age': {
+        const maxAge = Number(value)
+        if (Number.isFinite(maxAge)) {
+          options.maxAge = maxAge
+        }
+        break
+      }
+      case 'expires': {
+        const expires = new Date(value)
+        if (!Number.isNaN(expires.getTime())) {
+          options.expires = expires
+        }
+        break
+      }
+      case 'secure':
+        options.secure = true
+        break
+      case 'httponly':
+        options.httpOnly = true
+        break
+      case 'samesite':
+        if (value.toLowerCase() === 'lax' || value.toLowerCase() === 'strict' || value.toLowerCase() === 'none') {
+          options.sameSite = value.toLowerCase() as ResponseCookieOptions['sameSite']
+        }
+        break
+      case 'partitioned':
+        options.partitioned = true
+        break
+    }
+  }
+
+  return {
+    name: safeDecodeCookieSegment(nameValue.slice(0, separator)),
+    value: safeDecodeCookieSegment(nameValue.slice(separator + 1)),
+    options,
+  }
+}
+
 function resolveNextAuthRequestAccessors(): NonNullable<CreateHoloOptions['authRequest']> {
   return {
     async getCookie(name: string) {
@@ -28,6 +120,15 @@ function resolveNextAuthRequestAccessors(): NonNullable<CreateHoloOptions['authR
       const requestHeaders = await headers()
       return requestHeaders.get(name) ?? undefined
     },
+    async appendResponseCookie(cookie: string) {
+      const parsed = parseResponseCookie(cookie)
+      if (!parsed) {
+        return
+      }
+
+      const store = await cookies() as unknown as MutableNextCookieStore
+      store.set(parsed.name, parsed.value, parsed.options)
+    },
   }
 }
 
diff --git a/packages/adapter-next/tests/adapter.test.ts b/packages/adapter-next/tests/adapter.test.ts
index 6d8e369..fe6e916 100644
--- a/packages/adapter-next/tests/adapter.test.ts
+++ b/packages/adapter-next/tests/adapter.test.ts
@@ -10,6 +10,7 @@ import {
   initializeNextHoloProject,
   resetNextHoloProject,
 } from '../src'
+import { withHolo } from '../src/config'
 
 const configEntry = JSON.stringify(resolve(import.meta.dirname, '../../config/src/index.ts'))
 const tempDirs: string[] = []
@@ -171,4 +172,57 @@ export default defineConfig({
 
     expect(resolved.runtime.renderView).toBe(renderView)
   })
+
+  it('externalizes installed optional Holo server packages', async () => {
+    const root = await createProject()
+    await writeFile(join(root, 'package.json'), JSON.stringify({
+      dependencies: {
+        '@holo-js/auth': 'workspace:*',
+        '@holo-js/auth-social': 'workspace:*',
+        '@holo-js/auth-social-google': 'workspace:*',
+      },
+    }), 'utf8')
+
+    const previousCwd = process.cwd()
+    process.chdir(root)
+
+    try {
+      const config = withHolo({
+        serverExternalPackages: ['custom-runtime'],
+      })
+
+      expect(config.serverExternalPackages).toEqual(expect.arrayContaining([
+        '@holo-js/core',
+        '@holo-js/auth',
+        '@holo-js/auth-social',
+        '@holo-js/auth-social-google',
+        'custom-runtime',
+      ]))
+      expect(config.serverExternalPackages).not.toContain('@holo-js/auth-social-github')
+      expect(config.serverExternalPackages).not.toContain('@holo-js/auth-clerk')
+    } finally {
+      process.chdir(previousCwd)
+    }
+  })
+
+  it('ignores optional externals when package.json cannot be parsed', async () => {
+    const root = await createProject()
+    await writeFile(join(root, 'package.json'), '{', 'utf8')
+
+    const previousCwd = process.cwd()
+    process.chdir(root)
+
+    try {
+      const config = withHolo()
+
+      expect(config.serverExternalPackages).toEqual(expect.arrayContaining([
+        '@holo-js/core',
+        '@holo-js/adapter-next',
+      ]))
+      expect(config.serverExternalPackages).not.toContain('@holo-js/auth')
+      expect(config.serverExternalPackages).not.toContain('@holo-js/auth-social')
+    } finally {
+      process.chdir(previousCwd)
+    }
+  })
 })
diff --git a/packages/adapter-nuxt/src/runtime/composables/index.ts b/packages/adapter-nuxt/src/runtime/composables/index.ts
index ed89fe6..6fc3c06 100644
--- a/packages/adapter-nuxt/src/runtime/composables/index.ts
+++ b/packages/adapter-nuxt/src/runtime/composables/index.ts
@@ -29,6 +29,10 @@ type NuxtAuthRequestEvent = {
     readonly req?: {
       readonly headers?: Readonly<Record<string, string | readonly string[] | undefined>>
     }
+    readonly res?: {
+      getHeader(name: string): number | string | readonly string[] | undefined
+      setHeader(name: string, value: number | string | readonly string[]): void
+    }
   }
 }
 
@@ -140,6 +144,28 @@ export function createNuxtAuthRequestAccessors() {
     return undefined
   }
 
+  async function appendCookie(cookie: string): Promise<void> {
+    const nitroContext = await loadNitroContextModule()
+    const event = nitroContext.useEvent()
+    const response = event?.node?.res
+    if (!response) {
+      return
+    }
+
+    const current = response.getHeader('set-cookie')
+    if (Array.isArray(current)) {
+      response.setHeader('set-cookie', [...current, cookie])
+      return
+    }
+
+    if (typeof current === 'string') {
+      response.setHeader('set-cookie', [current, cookie])
+      return
+    }
+
+    response.setHeader('set-cookie', [cookie])
+  }
+
   const getCookieValue: NonNullable<CreateHoloOptions['authRequest']>['getCookie'] = async (name) => {
     return await readCookie(name)
   }
@@ -148,9 +174,14 @@ export function createNuxtAuthRequestAccessors() {
     return await readHeader(name)
   }
 
+  const appendResponseCookie: NonNullable<CreateHoloOptions['authRequest']>['appendResponseCookie'] = async (cookie) => {
+    await appendCookie(cookie)
+  }
+
   return {
     getCookie: getCookieValue,
     getHeader: getHeaderValue,
+    appendResponseCookie,
   } satisfies NonNullable<CreateHoloOptions['authRequest']>
 }
 
diff --git a/packages/adapter-nuxt/tests/module.test.ts b/packages/adapter-nuxt/tests/module.test.ts
index e130a9b..200cf67 100644
--- a/packages/adapter-nuxt/tests/module.test.ts
+++ b/packages/adapter-nuxt/tests/module.test.ts
@@ -356,6 +356,7 @@ export default defineDatabaseConfig({
   })
 
   it('skips malformed cookie segments when decoding auth cookies', async () => {
+    const headers = new Map<string, number | string | readonly string[]>()
     vi.resetModules()
     vi.doMock('nitropack/runtime/context', () => ({
       useEvent: () => ({
@@ -364,6 +365,16 @@ export default defineDatabaseConfig({
             cookie: 'broken=%; auth-token=secret%20value',
           }),
         },
+        node: {
+          res: {
+            getHeader(name: string) {
+              return headers.get(name)
+            },
+            setHeader(name: string, value: number | string | readonly string[]) {
+              headers.set(name, value)
+            },
+          },
+        },
       }),
     }))
 
@@ -372,6 +383,12 @@ export default defineDatabaseConfig({
 
     await expect(accessors.getCookie('broken')).resolves.toBeUndefined()
     await expect(accessors.getCookie('auth-token')).resolves.toBe('secret value')
+    await accessors.appendResponseCookie?.('holo_session=session-1; Path=/; HttpOnly')
+    await accessors.appendResponseCookie?.('holo_session_remember=remember-1; Path=/; HttpOnly')
+    expect(headers.get('set-cookie')).toEqual([
+      'holo_session=session-1; Path=/; HttpOnly',
+      'holo_session_remember=remember-1; Path=/; HttpOnly',
+    ])
   })
 
   it('generates a server import wrapper for model defaults when server models exist', async () => {
diff --git a/packages/adapter-sveltekit/src/index.ts b/packages/adapter-sveltekit/src/index.ts
index e556fdc..7eead71 100644
--- a/packages/adapter-sveltekit/src/index.ts
+++ b/packages/adapter-sveltekit/src/index.ts
@@ -17,28 +17,139 @@ export type SvelteKitHoloProject<TCustom extends HoloConfigMap = HoloConfigMap>
 type SvelteKitRequestEvent = {
   readonly cookies: {
     get(name: string): string | undefined
+    set(name: string, value: string, options: SvelteKitCookieOptions): void
   }
   readonly request: {
     readonly headers: Headers
   }
 }
 
+type SvelteKitCookieOptions = {
+  path: string
+  domain?: string
+  maxAge?: number
+  expires?: Date
+  secure?: boolean
+  httpOnly?: boolean
+  sameSite?: 'lax' | 'strict' | 'none'
+  partitioned?: boolean
+}
+
+type ParsedResponseCookie = {
+  readonly name: string
+  readonly value: string
+  readonly options: SvelteKitCookieOptions
+}
+
+type SvelteKitRuntimeGlobal = typeof globalThis & {
+  __holoSvelteKitRequestEventStore?: AsyncLocalStorage<SvelteKitRequestEvent>
+}
+
+// Shared AsyncLocalStorage contract with packages/auth/src/sveltekit/server.ts:
+// keep this exact global key and compatible AsyncLocalStorage<SvelteKitRequestEvent>
+// / AsyncLocalStorage<SvelteKitStoredRequestEvent> value types in sync.
 const svelteKitAdapter = createHoloFrameworkAdapter<SvelteKitHoloOptions>({
   stateKey: '__holoSvelteKitAdapter__',
   displayName: 'SvelteKit',
 })
-const svelteKitRequestEventStore = new AsyncLocalStorage<SvelteKitRequestEvent>()
+
+function getSvelteKitRequestEventStore(): AsyncLocalStorage<SvelteKitRequestEvent> {
+  const runtimeGlobal = globalThis as SvelteKitRuntimeGlobal
+  runtimeGlobal.__holoSvelteKitRequestEventStore ??= new AsyncLocalStorage<SvelteKitRequestEvent>()
+
+  return runtimeGlobal.__holoSvelteKitRequestEventStore
+}
+
+function safeDecodeCookieSegment(value: string): string {
+  try {
+    return decodeURIComponent(value)
+  } catch {
+    return value
+  }
+}
+
+function parseResponseCookie(cookie: string): ParsedResponseCookie | null {
+  const [nameValue, ...attributes] = cookie.split(';')
+  const separator = nameValue?.indexOf('=') ?? -1
+  if (!nameValue || separator <= 0) {
+    return null
+  }
+
+  const options: SvelteKitCookieOptions = { path: '/' }
+  for (const rawAttribute of attributes) {
+    const attribute = rawAttribute.trim()
+    if (!attribute) {
+      continue
+    }
+
+    const attributeSeparator = attribute.indexOf('=')
+    const key = (attributeSeparator === -1 ? attribute : attribute.slice(0, attributeSeparator)).trim().toLowerCase()
+    const value = attributeSeparator === -1 ? '' : attribute.slice(attributeSeparator + 1).trim()
+
+    switch (key) {
+      case 'path':
+        options.path = value || '/'
+        break
+      case 'domain':
+        options.domain = value
+        break
+      case 'max-age': {
+        const maxAge = Number(value)
+        if (Number.isFinite(maxAge)) {
+          options.maxAge = maxAge
+        }
+        break
+      }
+      case 'expires': {
+        const expires = new Date(value)
+        if (!Number.isNaN(expires.getTime())) {
+          options.expires = expires
+        }
+        break
+      }
+      case 'secure':
+        options.secure = true
+        break
+      case 'httponly':
+        options.httpOnly = true
+        break
+      case 'samesite':
+        if (value.toLowerCase() === 'lax' || value.toLowerCase() === 'strict' || value.toLowerCase() === 'none') {
+          options.sameSite = value.toLowerCase() as SvelteKitCookieOptions['sameSite']
+        }
+        break
+      case 'partitioned':
+        options.partitioned = value ? value.toLowerCase() === 'true' : true
+        break
+    }
+  }
+
+  return {
+    name: safeDecodeCookieSegment(nameValue.slice(0, separator)),
+    value: safeDecodeCookieSegment(nameValue.slice(separator + 1)),
+    options,
+  }
+}
 
 function resolveSvelteKitAuthRequestAccessors(): NonNullable<SvelteKitHoloOptions['authRequest']> {
   return {
     async getCookie(name: string) {
-      const event = svelteKitRequestEventStore.getStore()
+      const event = getSvelteKitRequestEventStore().getStore()
       return event?.cookies.get(name) ?? undefined
     },
     async getHeader(name: string) {
-      const event = svelteKitRequestEventStore.getStore()
+      const event = getSvelteKitRequestEventStore().getStore()
       return event?.request.headers.get(name) ?? undefined
     },
+    appendResponseCookie(cookie: string) {
+      const event = getSvelteKitRequestEventStore().getStore()
+      const parsed = parseResponseCookie(cookie)
+      if (!event || !parsed) {
+        return
+      }
+
+      event.cookies.set(parsed.name, parsed.value, parsed.options)
+    },
   }
 }
 
@@ -55,7 +166,7 @@ export function runWithSvelteKitRequestEvent<TValue>(
   event: SvelteKitRequestEvent,
   callback: () => TValue,
 ): TValue {
-  return svelteKitRequestEventStore.run(event, callback)
+  return getSvelteKitRequestEventStore().run(event, callback)
 }
 
 export async function createSvelteKitHoloProject<TCustom extends HoloConfigMap = HoloConfigMap>(
diff --git a/packages/adapter-sveltekit/tests/runtime.test.ts b/packages/adapter-sveltekit/tests/runtime.test.ts
index 0258092..9d2effc 100644
--- a/packages/adapter-sveltekit/tests/runtime.test.ts
+++ b/packages/adapter-sveltekit/tests/runtime.test.ts
@@ -3,6 +3,7 @@ import { afterEach, describe, expect, it, vi } from 'vitest'
 type MockAuthRequest = {
   getCookie(name: string): Promise<string | undefined>
   getHeader(name: string): Promise<string | undefined>
+  appendResponseCookie?(cookie: string): void | Promise<void>
 }
 
 function makeHoloCoreMock(
@@ -64,6 +65,16 @@ afterEach(() => {
 describe('@holo-js/adapter-sveltekit request context', () => {
   it('owns auth request accessors inside the adapter and resolves them from the current request event', async () => {
     let capturedAuthRequest: MockAuthRequest | undefined
+    const responseCookies: Array<{
+      readonly name: string
+      readonly value: string
+      readonly options: {
+        readonly path: string
+        readonly httpOnly?: boolean
+        readonly sameSite?: 'lax' | 'strict' | 'none'
+        readonly partitioned?: boolean
+      }
+    }> = []
 
     vi.doMock('@holo-js/core', () => makeHoloCoreMock((authRequest) => {
       capturedAuthRequest = authRequest
@@ -79,6 +90,9 @@ describe('@holo-js/adapter-sveltekit request context', () => {
         get(name: string) {
           return name === 'session' ? 'cookie-value' : undefined
         },
+        set(name, value, options) {
+          responseCookies.push({ name, value, options })
+        },
       },
       request: {
         headers: new Headers({
@@ -94,8 +108,31 @@ describe('@holo-js/adapter-sveltekit request context', () => {
       }
       await expect(capturedAuthRequest.getCookie('session')).resolves.toBe('cookie-value')
       await expect(capturedAuthRequest.getHeader('x-request-id')).resolves.toBe('header-value')
+      await capturedAuthRequest.appendResponseCookie?.('session=response-value; Path=/; HttpOnly; SameSite=Lax; Partitioned')
+      await capturedAuthRequest.appendResponseCookie?.('analytics=off; Path=/metrics; Partitioned=false')
     })
 
+    expect(responseCookies).toEqual([
+      {
+        name: 'session',
+        value: 'response-value',
+        options: {
+          path: '/',
+          httpOnly: true,
+          sameSite: 'lax',
+          partitioned: true,
+        },
+      },
+      {
+        name: 'analytics',
+        value: 'off',
+        options: {
+          path: '/metrics',
+          partitioned: false,
+        },
+      },
+    ])
+
     expect(capturedAuthRequest).toBeDefined()
     if (!capturedAuthRequest) {
       throw new Error('Expected auth request accessors to be captured.')
diff --git a/packages/auth-social/src/index.ts b/packages/auth-social/src/index.ts
index f73383f..984c38c 100644
--- a/packages/auth-social/src/index.ts
+++ b/packages/auth-social/src/index.ts
@@ -85,12 +85,35 @@ export interface SocialAuthBindings {
 
 export interface SocialAuthFacade {
   redirect(provider: string, request: Request): Promise<Response>
-  callback(provider: string, request: Request): Promise<Response>
+  callback(provider: string, request: Request): Promise<SocialCallbackResult>
 }
 
-let socialBindings: SocialAuthBindings | undefined
+export type SocialCallbackResult = SocialCallbackSuccess | SocialCallbackFailure
+
+export interface SocialCallbackSuccess {
+  readonly ok: true
+  readonly guard: string
+  readonly authProvider: string
+  readonly provider: string
+  readonly user: AuthUserLike
+}
+
+export interface SocialCallbackFailure {
+  readonly ok: false
+  readonly status: 400
+  readonly message: string
+}
+
+const SOCIAL_BINDINGS_KEY = '__holoAuthSocialBindings__'
 const AUTH_PROVIDER_MARKER = Symbol.for('holo-js.auth.provider')
 type RuntimeAuthProviderAdapter = ReturnType<typeof authRuntimeInternals.getRuntimeBindings>['providers'][string]
+type SocialRuntimeGlobal = typeof globalThis & {
+  [SOCIAL_BINDINGS_KEY]?: SocialAuthBindings
+}
+
+function getSocialRuntimeGlobal(): SocialRuntimeGlobal {
+  return globalThis as SocialRuntimeGlobal
+}
 
 function requireUserRecord(user: unknown, message: string): Record<string, unknown> {
   if (user == null) {
@@ -141,6 +164,7 @@ function throwUnconfigured(): never {
 }
 
 function getBindings(): SocialAuthBindings {
+  const socialBindings = getSocialRuntimeGlobal()[SOCIAL_BINDINGS_KEY]
   if (!socialBindings) {
     throwUnconfigured()
   }
@@ -250,9 +274,6 @@ function resolveGuardAndProvider(provider: string): {
   if (!guard) {
     throw new Error(`[@holo-js/auth-social] Guard "${guardName}" is not configured for social provider "${provider}".`)
   }
-  if (guard.driver !== 'session') {
-    throw new Error(`[@holo-js/auth-social] Social sign-in requires auth guard "${guardName}" to use the session driver.`)
-  }
 
   const authProvider = providerConfig.mapToProvider ?? guard.provider
   const adapter = authBindings.providers[authProvider]
@@ -482,19 +503,23 @@ async function readCallbackParameters(request: Request): Promise<{
   }
 }
 
-export async function callback(provider: string, request: Request): Promise<Response> {
+export async function callback(provider: string, request: Request): Promise<SocialCallbackResult> {
   const { state, code } = await readCallbackParameters(request)
   if (!state || !code) {
-    return Response.json({
+    return {
+      ok: false,
+      status: 400,
       message: 'Missing OAuth state or code.',
-    }, { status: 400 })
+    }
   }
 
   const pending = await getBindings().stateStore.read(provider, state)
   if (!pending) {
-    return Response.json({
+    return {
+      ok: false,
+      status: 400,
       message: 'Invalid or expired OAuth state.',
-    }, { status: 400 })
+    }
   }
 
   await getBindings().stateStore.delete(provider, state)
@@ -510,32 +535,22 @@ export async function callback(provider: string, request: Request): Promise<Resp
   })
 
   const linked = await resolveLinkedUser(provider, exchanged.profile, exchanged.tokens)
-  const established = await authRuntimeInternals.establishSessionForUser(linked.user, {
-    guard: linked.guard,
-    provider: linked.authProvider,
-  })
-  const headers = new Headers()
-  for (const cookie of established.cookies) {
-    headers.append('set-cookie', cookie)
-  }
 
-  return Response.json({
-    authenticated: true,
+  return {
+    ok: true,
     guard: linked.guard,
+    authProvider: linked.authProvider,
     provider,
     user: linked.user,
-  }, {
-    status: 200,
-    headers,
-  })
+  }
 }
 
 export function configureSocialAuthRuntime(bindings?: SocialAuthBindings): void {
-  socialBindings = bindings
+  getSocialRuntimeGlobal()[SOCIAL_BINDINGS_KEY] = bindings
 }
 
 export function resetSocialAuthRuntime(): void {
-  socialBindings = undefined
+  delete getSocialRuntimeGlobal()[SOCIAL_BINDINGS_KEY]
 }
 
 export const socialAuth = Object.freeze({
diff --git a/packages/auth-social/tests/package.test.ts b/packages/auth-social/tests/package.test.ts
index 048d559..de95d94 100644
--- a/packages/auth-social/tests/package.test.ts
+++ b/packages/auth-social/tests/package.test.ts
@@ -1,6 +1,6 @@
 import { afterEach, describe, expect, it } from 'vitest'
 import { configureSessionRuntime, getSessionRuntime, resetSessionRuntime } from '../../session/src/runtime'
-import { authRuntimeInternals, configureAuthRuntime, defineAuthConfig, resetAuthRuntime, tokens } from '../../auth/src'
+import auth, { authRuntimeInternals, configureAuthRuntime, defineAuthConfig, resetAuthRuntime, tokens } from '../../auth/src'
 import type { AuthProviderAdapter, AuthTokenStore, PersonalAccessTokenRecord } from '../../auth/src'
 import {
   callback,
@@ -312,8 +312,9 @@ describe('@holo-js/auth-social', () => {
     expect(runtime.stateStore.records.size).toBe(1)
 
     const invalid = await callback('google', new Request('https://app.test/auth/google/callback?state=bad&code=demo'))
-    expect(invalid.status).toBe(400)
-    await expect(invalid.json()).resolves.toMatchObject({
+    expect(invalid).toMatchObject({
+      ok: false,
+      status: 400,
       message: 'Invalid or expired OAuth state.',
     })
   })
@@ -355,16 +356,21 @@ describe('@holo-js/auth-social', () => {
     })
 
     const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-1`))
-    expect(response.status).toBe(200)
-    expect(response.headers.get('set-cookie')).toContain('holo_session=')
-    await expect(response.json()).resolves.toMatchObject({
-      authenticated: true,
+    expect(response).toMatchObject({
+      ok: true,
       provider: 'google',
       user: {
         id: localUser.id,
         email: 'existing@example.com',
       },
     })
+    expect(runtime.context.getSessionId('web')).toBeUndefined()
+    if (!response.ok) {
+      throw new Error('Expected successful social callback.')
+    }
+
+    const session = await auth.guard(response.guard).loginUsing(response.user)
+    expect(session.cookies.join('; ')).toContain('holo_session=')
     expect(runtime.context.getSessionId('web')).toBeTypeOf('string')
   })
 
@@ -391,7 +397,7 @@ describe('@holo-js/auth-social', () => {
       },
     })
     let response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-link`))
-    expect(response.status).toBe(200)
+    expect(response.ok).toBe(true)
     expect((await runtime.identityStore.findByProviderUserId('google', 'google-link'))?.userId).toBe(existing.id)
 
     redirectResponse = await redirect('google', new Request('https://app.test/auth/google'))
@@ -409,13 +415,36 @@ describe('@holo-js/auth-social', () => {
       },
     })
     response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-create`))
-    await expect(response.json()).resolves.toMatchObject({
+    expect(response).toMatchObject({
+      ok: true,
       user: {
         email: 'new@example.com',
         name: 'New Social User',
       },
     })
     expect(runtime.usersProvider.usersByEmail.has('new@example.com')).toBe(true)
+
+    redirectResponse = await redirect('google', new Request('https://app.test/auth/google'))
+    state = new URL(redirectResponse.headers.get('location')!).searchParams.get('state')!
+    runtime.exchangeProfiles.set('code-redirect', {
+      profile: {
+        id: 'google-redirect',
+        email: 'redirect@example.com',
+        emailVerified: true,
+        name: 'Redirect User',
+      },
+      tokens: {
+        accessToken: 'redirect-token',
+      },
+    })
+    response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-redirect`))
+    expect(response).toMatchObject({
+      ok: true,
+      user: {
+        email: 'redirect@example.com',
+      },
+    })
+    expect(runtime.usersProvider.usersByEmail.has('redirect@example.com')).toBe(true)
   })
 
   it('preserves the auth provider marker on linked social users', async () => {
@@ -460,16 +489,16 @@ describe('@holo-js/auth-social', () => {
     })
 
     const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-map-to-provider`))
-    expect(response.status).toBe(200)
-    await expect(response.json()).resolves.toMatchObject({
-      authenticated: true,
+    expect(response).toMatchObject({
+      ok: true,
       provider: 'google',
       guard: 'web',
+      authProvider: 'admins',
       user: {
         email: 'admin@example.com',
       },
     })
-    expect(runtime.context.getSessionId('web')).toBeTypeOf('string')
+    expect(runtime.context.getSessionId('web')).toBeUndefined()
 
     const storedIdentity = await runtime.identityStore.findByProviderUserId('google', 'google-admin-web')
     expect(storedIdentity).toMatchObject({
@@ -478,13 +507,6 @@ describe('@holo-js/auth-social', () => {
       userId: 1,
     })
 
-    const sessionId = runtime.context.getSessionId('web')
-    const record = sessionId ? await runtime.sessionStore.read(sessionId) : null
-    expect(authRuntimeInternals.readSessionPayload(record, 'web')).toMatchObject({
-      guard: 'web',
-      provider: 'admins',
-      userId: 1,
-    })
     expect(runtime.usersProvider.users.size).toBe(0)
     expect(runtime.adminsProvider.users.size).toBe(1)
   })
@@ -513,7 +535,7 @@ describe('@holo-js/auth-social', () => {
     })
 
     const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-unverified-existing`))
-    expect(response.status).toBe(200)
+    expect(response.ok).toBe(true)
 
     const storedIdentity = await runtime.identityStore.findByProviderUserId('google', 'google-unverified-existing')
     expect(storedIdentity?.userId).not.toBe(existing.id)
@@ -548,9 +570,8 @@ describe('@holo-js/auth-social', () => {
       }),
     }))
 
-    expect(response.status).toBe(200)
-    await expect(response.json()).resolves.toMatchObject({
-      authenticated: true,
+    expect(response).toMatchObject({
+      ok: true,
       provider: 'google',
       user: {
         email: 'form@example.com',
@@ -596,8 +617,8 @@ describe('@holo-js/auth-social', () => {
       },
     })
     const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-allow`))
-    expect(response.status).toBe(200)
-    await expect(response.json()).resolves.toMatchObject({
+    expect(response).toMatchObject({
+      ok: true,
       user: {
         email: 'google-allow@google.social.local',
       },
@@ -625,14 +646,22 @@ describe('@holo-js/auth-social', () => {
     })
 
     const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-admin`))
-    expect(response.status).toBe(200)
-    await expect(response.json()).resolves.toMatchObject({
+    expect(response).toMatchObject({
+      ok: true,
       guard: 'admin',
+      authProvider: 'admins',
       user: {
         email: 'admin@example.com',
       },
     })
+    expect(runtime.context.getSessionId('admin')).toBeUndefined()
+    if (!response.ok) {
+      throw new Error('Expected successful social callback.')
+    }
+
+    const session = await auth.guard(response.guard).loginUsing(response.user)
     expect(runtime.context.getSessionId('admin')).toBeTypeOf('string')
+    expect(session.cookies.join('; ')).toContain('holo_session=')
     expect(runtime.adminsProvider.usersByEmail.has('admin@example.com')).toBe(true)
 
     const storedIdentity = await runtime.identityStore.findByProviderUserId('google', 'google-admin')
@@ -647,13 +676,46 @@ describe('@holo-js/auth-social', () => {
     })
   })
 
-  it('rejects social providers mapped to token guards', async () => {
-    configureRuntime({
+  it('returns the linked user for token guards without creating a session', async () => {
+    const runtime = configureRuntime({
       socialGuard: 'api',
     })
-    await expect(redirect('google', new Request(
-      'https://app.test/auth/google',
-    ))).rejects.toThrow('requires auth guard "api" to use the session driver')
+    const redirectResponse = await redirect('google', new Request('https://app.test/auth/google'))
+    const state = new URL(redirectResponse.headers.get('location')!).searchParams.get('state')!
+    runtime.exchangeProfiles.set('code-api', {
+      profile: {
+        id: 'google-api',
+        email: 'api@example.com',
+        emailVerified: true,
+        name: 'API Social',
+      },
+      tokens: {
+        accessToken: 'api-access',
+      },
+    })
+
+    const response = await callback('google', new Request(`https://app.test/auth/google/callback?state=${state}&code=code-api`))
+
+    expect(response).toMatchObject({
+      ok: true,
+      guard: 'api',
+      authProvider: 'users',
+      user: {
+        email: 'api@example.com',
+      },
+    })
+    expect(runtime.context.getSessionId('api')).toBeUndefined()
+    if (!response.ok) {
+      throw new Error('Expected successful social callback.')
+    }
+
+    await expect(tokens.create(response.user, {
+      guard: response.guard,
+      name: 'social-api',
+    })).resolves.toMatchObject({
+      provider: 'users',
+      userId: 1,
+    })
   })
 
   it('fails closed for missing provider runtime, missing config activation, and PKCE mismatch', async () => {
diff --git a/packages/auth/src/contracts.ts b/packages/auth/src/contracts.ts
index 4fa479c..997e4d4 100644
--- a/packages/auth/src/contracts.ts
+++ b/packages/auth/src/contracts.ts
@@ -467,6 +467,7 @@ export interface AuthRuntimeContext {
   setCachedUser(guardName: string, user: AuthUser | null): void
   getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
   getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
+  appendResponseCookie?(cookie: string): void | Promise<void>
   getAccessToken?(guardName: string): string | undefined
   setAccessToken?(guardName: string, token?: string): void
   getRememberToken?(guardName: string): string | undefined
diff --git a/packages/auth/src/runtime.ts b/packages/auth/src/runtime.ts
index e7bc869..0e3828a 100644
--- a/packages/auth/src/runtime.ts
+++ b/packages/auth/src/runtime.ts
@@ -904,6 +904,19 @@ async function resolveRequestHeader(
   return typeof value === 'string' && value.length > 0 ? value : undefined
 }
 
+async function appendResponseCookies(
+  bindings: RuntimeBindings,
+  cookies: readonly string[],
+): Promise<void> {
+  if (!bindings.context.appendResponseCookie) {
+    return
+  }
+
+  for (const cookie of cookies) {
+    await bindings.context.appendResponseCookie(cookie)
+  }
+}
+
 function parseBearerToken(header: string | undefined): string | undefined {
   if (typeof header !== 'string') {
     return undefined
@@ -2210,9 +2223,12 @@ async function logoutForGuard(guardName: string): Promise<AuthLogoutResult> {
   bindings.context.setCachedUser(guardName, null)
   bindings.context.setRememberToken?.(guardName)
 
+  const cookies = buildLogoutCookies(bindings, guardName, { clearSessionCookies })
+  await appendResponseCookies(bindings, cookies)
+
   return Object.freeze({
     guard: guardName,
-    cookies: buildLogoutCookies(bindings, guardName, { clearSessionCookies }),
+    cookies,
   })
 }
 
@@ -2400,6 +2416,7 @@ async function establishSessionForUser(
       ? [forgetDefaultRememberCookie(bindings)].filter((cookie): cookie is string => typeof cookie === 'string')
       : []),
   ]
+  await appendResponseCookies(bindings, cookies)
 
   return Object.freeze({
     guard: options.guard,
diff --git a/packages/auth/src/sveltekit/server.ts b/packages/auth/src/sveltekit/server.ts
index 78aad3c..5b38b7b 100644
--- a/packages/auth/src/sveltekit/server.ts
+++ b/packages/auth/src/sveltekit/server.ts
@@ -1,3 +1,4 @@
+import { AsyncLocalStorage } from 'node:async_hooks'
 import holoAuth, { user as currentUser } from '../index'
 import type { AuthUserLike, HoloAuthUser } from '../contracts'
 
@@ -28,6 +29,33 @@ export type SvelteKitHandleEvent = {
   readonly url: URL
 }
 
+type SvelteKitCookieOptions = {
+  path: string
+  domain?: string
+  maxAge?: number
+  expires?: Date
+  secure?: boolean
+  httpOnly?: boolean
+  sameSite?: 'lax' | 'strict' | 'none'
+}
+
+type SvelteKitStoredRequestEvent = SvelteKitHandleEvent & {
+  readonly cookies: {
+    get(name: string): string | undefined
+    set(name: string, value: string, options: SvelteKitCookieOptions): void
+  }
+  readonly request: {
+    readonly headers: Headers
+  }
+}
+
+type SvelteKitRuntimeGlobal = typeof globalThis & {
+  __holoSvelteKitRequestEventStore?: AsyncLocalStorage<SvelteKitStoredRequestEvent>
+}
+
+// Shared AsyncLocalStorage contract with packages/adapter-sveltekit/src/index.ts:
+// keep this exact global key and compatible AsyncLocalStorage<SvelteKitStoredRequestEvent>
+// / AsyncLocalStorage<SvelteKitRequestEvent> value types in sync.
 export type SvelteKitHandleInput<TEvent extends SvelteKitHandleEvent = SvelteKitHandleEvent> = {
   readonly event: TEvent
   readonly resolve: (event: TEvent, options?: never) => Response | Promise<Response>
@@ -37,6 +65,40 @@ export type SvelteKitHandle = <TEvent extends SvelteKitHandleEvent>(
   input: SvelteKitHandleInput<TEvent>,
 ) => Response | Promise<Response>
 
+function getSvelteKitRequestEventStore(): AsyncLocalStorage<SvelteKitStoredRequestEvent> {
+  const runtimeGlobal = globalThis as SvelteKitRuntimeGlobal
+  runtimeGlobal.__holoSvelteKitRequestEventStore ??= new AsyncLocalStorage<SvelteKitStoredRequestEvent>()
+
+  return runtimeGlobal.__holoSvelteKitRequestEventStore
+}
+
+function isSvelteKitStoredRequestEvent(event: SvelteKitHandleEvent): event is SvelteKitStoredRequestEvent {
+  const candidate = event as SvelteKitHandleEvent & {
+    readonly cookies?: {
+      get?: unknown
+      set?: unknown
+    }
+    readonly request?: {
+      readonly headers?: unknown
+    }
+  }
+
+  return typeof candidate.cookies?.get === 'function'
+    && typeof candidate.cookies.set === 'function'
+    && candidate.request?.headers instanceof Headers
+}
+
+function runWithSvelteKitRequestEvent<TValue>(
+  event: SvelteKitHandleEvent,
+  callback: () => TValue,
+): TValue {
+  if (!isSvelteKitStoredRequestEvent(event)) {
+    return callback()
+  }
+
+  return getSvelteKitRequestEventStore().run(event, callback)
+}
+
 function toClientAuthUser(user: (HoloAuthUser & AuthUserLike) | null): HoloAuthUser | null {
   // AuthUserLike custom fields crossing SvelteKit load boundaries must stay JSON-safe.
   return user ? JSON.parse(JSON.stringify(user)) as HoloAuthUser : null
@@ -104,41 +166,45 @@ export async function auth(options: AuthOptions = {}): Promise<AuthState> {
 
 export function guestOnly(options: GuestOnlyOptions): SvelteKitHandle {
   return async ({ event, resolve }) => {
-    if (!matchesRoutes(options.routes, event.url.pathname)) {
-      return resolve(event)
-    }
-
-    const currentAuth = await auth({ guard: options.guard })
-    if (!currentAuth.authenticated) {
-      return resolve(event)
-    }
-
-    const redirectUrl = new URL(options.redirectTo, event.url)
-    if (isSameUrl(event.url, redirectUrl)) {
-      return resolve(event)
-    }
-
-    return Response.redirect(redirectUrl, options.status ?? 303)
+    return runWithSvelteKitRequestEvent(event, async () => {
+      if (!matchesRoutes(options.routes, event.url.pathname)) {
+        return resolve(event)
+      }
+
+      const currentAuth = await auth({ guard: options.guard })
+      if (!currentAuth.authenticated) {
+        return resolve(event)
+      }
+
+      const redirectUrl = new URL(options.redirectTo, event.url)
+      if (isSameUrl(event.url, redirectUrl)) {
+        return resolve(event)
+      }
+
+      return Response.redirect(redirectUrl, options.status ?? 303)
+    })
   }
 }
 
 export function authOnly(options: AuthOnlyOptions): SvelteKitHandle {
   return async ({ event, resolve }) => {
-    if (!matchesRoutes(options.routes, event.url.pathname)) {
-      return resolve(event)
-    }
-
-    const currentAuth = await auth({ guard: options.guard })
-    if (currentAuth.authenticated) {
-      return resolve(event)
-    }
-
-    const redirectUrl = new URL(options.redirectTo, event.url)
-    if (isSameUrl(event.url, redirectUrl)) {
-      return resolve(event)
-    }
-
-    return Response.redirect(redirectUrl, options.status ?? 303)
+    return runWithSvelteKitRequestEvent(event, async () => {
+      if (!matchesRoutes(options.routes, event.url.pathname)) {
+        return resolve(event)
+      }
+
+      const currentAuth = await auth({ guard: options.guard })
+      if (currentAuth.authenticated) {
+        return resolve(event)
+      }
+
+      const redirectUrl = new URL(options.redirectTo, event.url)
+      if (isSameUrl(event.url, redirectUrl)) {
+        return resolve(event)
+      }
+
+      return Response.redirect(redirectUrl, options.status ?? 303)
+    })
   }
 }
 
diff --git a/packages/auth/tests/package.test.ts b/packages/auth/tests/package.test.ts
index b7595f7..24c573f 100644
--- a/packages/auth/tests/package.test.ts
+++ b/packages/auth/tests/package.test.ts
@@ -771,6 +771,73 @@ describe('@holo-js/auth package runtime', () => {
     expect(loggedOut.cookies).toContainEqual(expect.stringContaining('holo_session_remember=;'))
   })
 
+  it('appends session and logout cookies to the active response context', async () => {
+    const runtime = configureRuntime()
+    const appendedCookies: string[] = []
+    const currentBindings = authRuntimeInternals.getRuntimeBindings()
+
+    configureAuthRuntime({
+      ...currentBindings,
+      context: {
+        ...runtime.context,
+        appendResponseCookie(cookie) {
+          appendedCookies.push(cookie)
+        },
+      },
+    })
+
+    const created = unwrapAuthResult(await register({
+      name: 'Ava',
+      email: 'ava@example.com',
+      password: 'secret-secret',
+      passwordConfirmation: 'secret-secret',
+    }))
+    const established = await loginUsing(created)
+
+    expect(appendedCookies).toEqual([...established.cookies])
+
+    const loggedOut = await logout()
+
+    expect(appendedCookies).toEqual([
+      ...established.cookies,
+      ...loggedOut.cookies,
+    ])
+  })
+
+  it('waits for async response cookie appends during session login and logout', async () => {
+    const runtime = configureRuntime()
+    const appendedCookies: string[] = []
+    const currentBindings = authRuntimeInternals.getRuntimeBindings()
+
+    configureAuthRuntime({
+      ...currentBindings,
+      context: {
+        ...runtime.context,
+        async appendResponseCookie(cookie) {
+          await new Promise<void>(resolve => setTimeout(resolve, 1))
+          appendedCookies.push(cookie)
+        },
+      },
+    })
+
+    const created = unwrapAuthResult(await register({
+      name: 'Ava',
+      email: 'ava@example.com',
+      password: 'secret-secret',
+      passwordConfirmation: 'secret-secret',
+    }))
+    const established = await loginUsing(created)
+
+    expect(appendedCookies).toEqual([...established.cookies])
+
+    const loggedOut = await logout()
+
+    expect(appendedCookies).toEqual([
+      ...established.cookies,
+      ...loggedOut.cookies,
+    ])
+  })
+
   it('hydrates the request session cookie before logout and invalidates the stored session', async () => {
     const runtime = configureRuntime()
     const created = await runtime.usersProvider.create({
diff --git a/packages/core/src/portable/holo.ts b/packages/core/src/portable/holo.ts
index b34485c..a041349 100644
--- a/packages/core/src/portable/holo.ts
+++ b/packages/core/src/portable/holo.ts
@@ -826,6 +826,7 @@ export interface CreateHoloOptions {
   readonly authRequest?: {
     readonly getCookie?: (name: string) => string | undefined | Promise<string | undefined>
     readonly getHeader?: (name: string) => string | undefined | Promise<string | undefined>
+    readonly appendResponseCookie?: (cookie: string) => void | Promise<void>
   }
 }
 
@@ -1377,11 +1378,13 @@ function attachAuthRequestAccessors<TContext extends {
 ): TContext & {
   getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
   getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
+  appendResponseCookie?(cookie: string): void | Promise<void>
 } {
   return Object.freeze({
     ...context,
     getRequestCookie: accessors.getCookie,
     getRequestHeader: accessors.getHeader,
+    appendResponseCookie: accessors.appendResponseCookie,
   })
 }
 
@@ -1401,6 +1404,7 @@ function createRequestAwareAuthContext<TContext extends {
 ): TContext & {
   getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
   getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
+  appendResponseCookie?(cookie: string): void | Promise<void>
   setRequestAccessors(accessors?: CreateHoloOptions['authRequest']): void
 } {
   const requestAccessorStorage = new AsyncLocalStorage<{
@@ -1409,6 +1413,7 @@ function createRequestAwareAuthContext<TContext extends {
   type RequestAccessContext = TContext & {
     getRequestCookie?(name: string): string | undefined | Promise<string | undefined>
     getRequestHeader?(name: string): string | undefined | Promise<string | undefined>
+    appendResponseCookie?(cookie: string): void | Promise<void>
   }
 
   const resolveRequestContext = (): RequestAccessContext => {
@@ -1428,6 +1433,9 @@ function createRequestAwareAuthContext<TContext extends {
     getRequestHeader(name) {
       return resolveRequestContext().getRequestHeader?.(name)
     },
+    appendResponseCookie(cookie) {
+      return resolveRequestContext().appendResponseCookie?.(cookie)
+    },
     setRequestAccessors(nextAccessors) {
       requestAccessorStorage.enterWith({
         accessors: nextAccessors,
diff --git a/packages/forms/src/client.ts b/packages/forms/src/client.ts
index 105d9e6..cb52f8b 100644
--- a/packages/forms/src/client.ts
+++ b/packages/forms/src/client.ts
@@ -1,11 +1,14 @@
-import type {
-  FormFailurePayload,
-  InferFormData,
-  FormSchema,
-  FormSubmissionResult,
-  FormSuccessPayload,
-  SerializedFormSubmission as SerializedSubmissionState,
-  SerializedFormSubmission,
+import {
+  type FormFailureInput,
+  type FormFailurePayload,
+  type InferFormData,
+  type FormSchema,
+  type FormSubmissionResult,
+  type FormSuccessPayload,
+  type SerializedFormSubmission as SerializedSubmissionState,
+  type SerializedFormSubmission,
+  normalizeFailureErrors,
+  normalizeFailureInput,
 } from './contracts'
 import { FormContractError } from './errors'
 import { clearSensitiveInputValues, sanitizeFlashedInput } from './sensitiveInput'
@@ -132,11 +135,12 @@ function serializeSubmissionState<TData>(
   valid: boolean,
   values: Partial<TData> | TData,
   errors: ValidationErrorBag<TData>,
+  schemaDefinition?: FormSchema,
 ): SerializedFormSubmission<TData> {
   return Object.freeze({
     valid,
     submitted: true as const,
-    values: sanitizeFlashedInput(values),
+    values: sanitizeFlashedInput(values, schemaDefinition),
     errors: errors.flatten(),
   })
 }
@@ -146,17 +150,22 @@ function createSubmission<TData>(
   values: Partial<TData> | TData,
   errors: ValidationErrorBag<TData>,
   failureStatus = 422,
+  schemaDefinition?: FormSchema,
 ): FormSubmissionResult<TData> {
   const normalizedFailureStatus = normalizeStatus(failureStatus, 422)
-  const serialize = () => serializeSubmissionState(valid, values, errors)
+  const serialize = () => serializeSubmissionState(valid, values, errors, schemaDefinition)
 
-  const failure = (): FormFailurePayload<TData> => ({
-    ok: false,
-    status: normalizedFailureStatus,
-    valid: false as const,
-    values: sanitizeFlashedInput(values) as Partial<TData>,
-    errors: errors.flatten(),
-  })
+  const failure = (input?: FormFailureInput): FormFailurePayload<TData> => {
+    const normalized = normalizeFailureInput(input, normalizedFailureStatus)
+
+    return {
+      ok: false,
+      status: normalized.status,
+      valid: false as const,
+      values: sanitizeFlashedInput(values, schemaDefinition) as Partial<TData>,
+      errors: normalizeFailureErrors(errors.flatten(), normalized.errors),
+    }
+  }
 
   const success = <TPayload>(payload?: TPayload, status?: number): FormSuccessPayload<TPayload | undefined> => ({
     ok: true,
@@ -174,12 +183,8 @@ function createSubmission<TData>(
       errors,
       serialize,
       success,
-      fail(status?: number) {
-        const payload = failure()
-        return {
-          ...payload,
-          status: normalizeStatus(status, payload.status),
-        }
+      fail(input?: FormFailureInput) {
+        return failure(input)
       },
     })
   }
@@ -192,12 +197,8 @@ function createSubmission<TData>(
     errors,
     serialize,
     success,
-    fail(status?: number) {
-      const payload = failure()
-      return {
-        ...payload,
-        status: normalizeStatus(status, payload.status),
-      }
+    fail(input?: FormFailureInput) {
+      return failure(input)
     },
   })
 }
@@ -206,8 +207,7 @@ function createSuccessfulSubmission<TData>(
   schemaDefinition: FormSchema,
   data: TData,
 ): FormSubmissionResult<TData> {
-  void schemaDefinition
-  return createSubmission<TData>(true, data, createErrorBag())
+  return createSubmission<TData>(true, data, createErrorBag(), 422, schemaDefinition)
 }
 
 function createFailedSubmission<TData>(
@@ -222,6 +222,7 @@ function createFailedSubmission<TData>(
     values,
     createErrorBag<TData>(flattenedErrors),
     normalizeStatus(status, 422),
+    schemaDefinition,
   )
 }
 
@@ -849,7 +850,7 @@ export function useForm<TSchema extends FormSchema, TSuccess = unknown>(
 
       if ('ok' in normalized && normalized.ok === false) {
         state.values = mergeValues(state.values, normalized.values)
-        clearSensitiveInputValues(state.values)
+        clearSensitiveInputValues(state.values, schemaDefinition)
         state.flattenedErrors = normalized.errors
         state.lastSubmission = normalized
         notifyListeners(state)
@@ -858,7 +859,7 @@ export function useForm<TSchema extends FormSchema, TSuccess = unknown>(
 
       const normalizedSubmission = normalized as FormSubmissionResult<TData>
       state.values = mergeValues(state.values, normalizedSubmission.values)
-      clearSensitiveInputValues(state.values)
+      clearSensitiveInputValues(state.values, schemaDefinition)
       state.flattenedErrors = normalizedSubmission.errors.flatten()
       state.lastSubmission = normalizedSubmission.valid
         ? undefined
diff --git a/packages/forms/src/contracts.ts b/packages/forms/src/contracts.ts
index 7778715..f35c431 100644
--- a/packages/forms/src/contracts.ts
+++ b/packages/forms/src/contracts.ts
@@ -23,6 +23,15 @@ export interface FormFailurePayload<TData> {
   readonly errors: Record<string, readonly string[]>
 }
 
+export type FormFailureErrors = Readonly<Partial<Record<string, readonly string[]>>>
+
+export interface FormFailureOptions {
+  readonly status?: number
+  readonly errors?: FormFailureErrors
+}
+
+export type FormFailureInput = number | FormFailureOptions | undefined
+
 export interface FormSuccessPayload<TPayload = undefined> {
   readonly ok: true
   readonly status: number
@@ -90,7 +99,9 @@ export interface FormSubmissionSuccess<TData> {
   serialize(): SerializedFormSubmission<TData>
   success(): FormSuccessPayload<undefined>
   success<TPayload>(payload: TPayload, status?: number): FormSuccessPayload<TPayload>
+  fail(): FormFailurePayload<TData>
   fail(status?: number): FormFailurePayload<TData>
+  fail(options: FormFailureOptions): FormFailurePayload<TData>
 }
 
 export interface FormSubmissionFailure<TData> {
@@ -102,7 +113,9 @@ export interface FormSubmissionFailure<TData> {
   serialize(): SerializedFormSubmission<TData>
   success(): FormSuccessPayload<undefined>
   success<TPayload>(payload: TPayload, status?: number): FormSuccessPayload<TPayload>
+  fail(): FormFailurePayload<TData>
   fail(status?: number): FormFailurePayload<TData>
+  fail(options: FormFailureOptions): FormFailurePayload<TData>
 }
 
 export type FormSubmissionResult<TData> = FormSubmissionSuccess<TData> | FormSubmissionFailure<TData>
@@ -119,15 +132,51 @@ function normalizeStatus(value: number | undefined, fallback: number): number {
   return value
 }
 
+export function normalizeFailureInput(input: FormFailureInput, fallbackStatus: number): {
+  readonly status: number
+  readonly errors?: FormFailureErrors
+} {
+  if (typeof input === 'number') {
+    return {
+      status: normalizeStatus(input, fallbackStatus),
+    }
+  }
+
+  return {
+    status: normalizeStatus(input?.status, fallbackStatus),
+    errors: input?.errors,
+  }
+}
+
+export function normalizeFailureErrors(
+  fallback: Record<string, readonly string[]>,
+  override: FormFailureErrors | undefined,
+): Record<string, readonly string[]> {
+  if (!override) {
+    return fallback
+  }
+
+  const normalized: Record<string, readonly string[]> = { ...fallback }
+
+  for (const [field, messages] of Object.entries(override)) {
+    if (typeof messages !== 'undefined') {
+      normalized[field] = messages
+    }
+  }
+
+  return normalized
+}
+
 function serializeSubmissionState<TData>(
   valid: boolean,
   values: Partial<TData> | TData,
   errors: ValidationErrorBag<TData>,
+  schemaDefinition?: FormSchema,
 ): SerializedFormSubmission<TData> {
   return Object.freeze({
     valid,
     submitted: true as const,
-    values: sanitizeFlashedInput(values),
+    values: sanitizeFlashedInput(values, schemaDefinition),
     errors: errors.flatten(),
   })
 }
@@ -137,17 +186,22 @@ function createSubmission<TData>(
   values: Partial<TData> | TData,
   errors: ValidationErrorBag<TData>,
   failureStatus = 422,
+  schemaDefinition?: FormSchema,
 ): FormSubmissionResult<TData> {
   const normalizedFailureStatus = normalizeStatus(failureStatus, 422)
-  const serialize = () => serializeSubmissionState(valid, values, errors)
+  const serialize = () => serializeSubmissionState(valid, values, errors, schemaDefinition)
 
-  const failure = (): FormFailurePayload<TData> => ({
-    ok: false,
-    status: normalizedFailureStatus,
-    valid: false as const,
-    values: sanitizeFlashedInput(values) as Partial<TData>,
-    errors: errors.flatten(),
-  })
+  const failure = (input?: FormFailureInput): FormFailurePayload<TData> => {
+    const normalized = normalizeFailureInput(input, normalizedFailureStatus)
+
+    return {
+      ok: false,
+      status: normalized.status,
+      valid: false as const,
+      values: sanitizeFlashedInput(values, schemaDefinition) as Partial<TData>,
+      errors: normalizeFailureErrors(errors.flatten(), normalized.errors),
+    }
+  }
 
   const success = <TPayload>(payload?: TPayload, status?: number): FormSuccessPayload<TPayload | undefined> => ({
     ok: true,
@@ -165,12 +219,8 @@ function createSubmission<TData>(
       errors,
       serialize,
       success,
-      fail(status?: number) {
-        const payload = failure()
-        return {
-          ...payload,
-          status: normalizeStatus(status, payload.status),
-        }
+      fail(input?: FormFailureInput) {
+        return failure(input)
       },
     })
   }
@@ -183,12 +233,8 @@ function createSubmission<TData>(
     errors,
     serialize,
     success,
-    fail(status?: number) {
-      const payload = failure()
-      return {
-        ...payload,
-        status: normalizeStatus(status, payload.status),
-      }
+    fail(input?: FormFailureInput) {
+      return failure(input)
     },
   })
 }
@@ -198,9 +244,13 @@ export function createSuccessfulSubmission<TShape extends SchemaInputShape>(
   data: InferSchemaData<TShape>,
 ): FormSubmissionSuccess<InferSchemaData<TShape>> {
   void schemaDefinition
-  return createSubmission<InferSchemaData<TShape>>(true, data, createErrorBag()) as FormSubmissionSuccess<
-    InferSchemaData<TShape>
-  >
+  return createSubmission<InferSchemaData<TShape>>(
+    true,
+    data,
+    createErrorBag(),
+    422,
+    schemaDefinition,
+  ) as FormSubmissionSuccess<InferSchemaData<TShape>>
 }
 
 export function createFailedSubmission<TShape extends SchemaInputShape>(
@@ -216,6 +266,7 @@ export function createFailedSubmission<TShape extends SchemaInputShape>(
     values,
     createErrorBag<InferSchemaData<TShape>>(flattenedErrors),
     normalizedStatus,
+    schemaDefinition,
   ) as FormSubmissionFailure<InferSchemaData<TShape>>
 }
 
diff --git a/packages/forms/src/index.ts b/packages/forms/src/index.ts
index 4533ac0..6b7395c 100644
--- a/packages/forms/src/index.ts
+++ b/packages/forms/src/index.ts
@@ -12,6 +12,9 @@ export {
   isFormSchema,
 } from './schema'
 export type {
+  FormFailureErrors,
+  FormFailureInput,
+  FormFailureOptions,
   FormFailurePayload,
   InferFormData,
   FormRequestLikeInput,
diff --git a/packages/forms/src/sensitiveInput.ts b/packages/forms/src/sensitiveInput.ts
index 1665412..d14a4a4 100644
--- a/packages/forms/src/sensitiveInput.ts
+++ b/packages/forms/src/sensitiveInput.ts
@@ -1,3 +1,5 @@
+import type { FieldDefinition, SchemaInputShape, ValidationSchema } from '@holo-js/validation'
+
 const DEFAULT_DONT_FLASH_FIELDS = Object.freeze([
   'confirm_password',
   'confirmPassword',
@@ -12,6 +14,8 @@ const DEFAULT_DONT_FLASH_FIELDS = Object.freeze([
 
 const DEFAULT_DONT_FLASH_FIELD_SET = new Set<string>(DEFAULT_DONT_FLASH_FIELDS)
 
+type SensitiveSchema = Pick<ValidationSchema<SchemaInputShape>, 'fields'>
+
 function isPlainObject(value: unknown): value is Record<string, unknown> {
   return !!value
     && typeof value === 'object'
@@ -20,19 +24,103 @@ function isPlainObject(value: unknown): value is Record<string, unknown> {
     && !(value instanceof Blob)
 }
 
-export function sanitizeFlashedInput<TData>(
-  values: Partial<TData> | TData,
-): Partial<TData> | TData {
+function isFieldDefinition(value: unknown): value is FieldDefinition {
+  return isPlainObject(value)
+    && typeof value.kind === 'string'
+    && Array.isArray(value.rules)
+}
+
+function isSchemaField(value: unknown): value is { readonly kind: 'field', readonly definition: FieldDefinition } {
+  return isPlainObject(value)
+    && value.kind === 'field'
+    && isFieldDefinition(value.definition)
+}
+
+function collectSensitivePathsFromFields(
+  fields: Record<string, unknown>,
+  prefix = '',
+  output: string[] = [],
+): string[] {
+  for (const [key, value] of Object.entries(fields)) {
+    const path = prefix ? `${prefix}.${key}` : key
+
+    if (DEFAULT_DONT_FLASH_FIELD_SET.has(key)) {
+      output.push(path)
+    }
+
+    if (isSchemaField(value)) {
+      if (value.definition.sensitive === true) {
+        output.push(path)
+      }
+      continue
+    }
+
+    if (isPlainObject(value)) {
+      collectSensitivePathsFromFields(value, path, output)
+    }
+  }
+
+  return output
+}
+
+function collectSensitivePaths(schemaDefinition: SensitiveSchema | undefined): readonly string[] {
+  if (!schemaDefinition) {
+    return []
+  }
+
+  return collectSensitivePathsFromFields(schemaDefinition.fields as Record<string, unknown>)
+}
+
+function deletePath(root: Record<string, unknown>, path: string): void {
+  const parts = path.split('.').filter(Boolean)
+  const leaf = parts.at(-1)
+  if (!leaf) {
+    return
+  }
+
+  let cursor: unknown = root
+  for (const part of parts.slice(0, -1)) {
+    if (!isPlainObject(cursor)) {
+      return
+    }
+
+    cursor = cursor[part]
+  }
+
+  if (isPlainObject(cursor)) {
+    delete cursor[leaf]
+  }
+}
+
+function sanitizePlainObject<TData>(
+  values: TData,
+  sensitivePaths: readonly string[],
+): TData {
   if (!isPlainObject(values)) {
     return values
   }
 
-  return Object.fromEntries(
-    Object.entries(values).filter(([key]) => !DEFAULT_DONT_FLASH_FIELD_SET.has(key)),
-  ) as Partial<TData> | TData
+  const output = structuredClone(values) as Record<string, unknown>
+
+  for (const field of DEFAULT_DONT_FLASH_FIELD_SET) {
+    delete output[field]
+  }
+
+  for (const path of sensitivePaths) {
+    deletePath(output, path)
+  }
+
+  return output as TData
+}
+
+export function sanitizeFlashedInput<TData>(
+  values: Partial<TData> | TData,
+  schemaDefinition?: SensitiveSchema,
+): Partial<TData> | TData {
+  return sanitizePlainObject(values, collectSensitivePaths(schemaDefinition))
 }
 
-export function clearSensitiveInputValues<TData>(values: TData): TData {
+export function clearSensitiveInputValues<TData>(values: TData, schemaDefinition?: SensitiveSchema): TData {
   if (!isPlainObject(values)) {
     return values
   }
@@ -41,9 +129,14 @@ export function clearSensitiveInputValues<TData>(values: TData): TData {
     delete values[field]
   }
 
+  for (const path of collectSensitivePaths(schemaDefinition)) {
+    deletePath(values, path)
+  }
+
   return values
 }
 
 export const sensitiveInputInternals = {
+  collectSensitivePaths,
   DEFAULT_DONT_FLASH_FIELDS,
 }
diff --git a/packages/forms/tests/client.test.ts b/packages/forms/tests/client.test.ts
index 9a2d239..b8c721b 100644
--- a/packages/forms/tests/client.test.ts
+++ b/packages/forms/tests/client.test.ts
@@ -278,7 +278,7 @@ describe('@holo-js/forms client', () => {
     const registerUser = schema({
       name: field.string().required(),
       email: field.string().required().email(),
-      password: field.string().required().min(8),
+      password: field.password().required().min(8),
     })
 
     const client = useForm(registerUser, {
@@ -489,11 +489,12 @@ describe('@holo-js/forms client', () => {
     expect('valid' in fallback && fallback.valid === true).toBe(true)
   })
 
-  it('clears Laravel-style dontFlash fields after server-side failures', () => {
+  it('clears sensitive fields after server-side failures', () => {
     const registerUser = schema({
       email: field.string().required().email(),
-      password: field.string().required().min(8),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8),
+      passwordConfirmation: field.password().required(),
+      nationalId: field.string().sensitive().required(),
     })
 
     const client = useForm(registerUser, {
@@ -501,6 +502,7 @@ describe('@holo-js/forms client', () => {
         email: 'ava@example.com',
         password: 'super-secret',
         passwordConfirmation: 'super-secret',
+        nationalId: 'private-id',
       },
     })
 
@@ -520,6 +522,7 @@ describe('@holo-js/forms client', () => {
     expect(client.values.email).toBe('bad')
     expect(client.values.password).toBeUndefined()
     expect(client.values.passwordConfirmation).toBeUndefined()
+    expect(client.values.nationalId).toBeUndefined()
     expect(client.errors.first('password')).toBe('The password field is required.')
   })
 
diff --git a/packages/forms/tests/client.type.test.ts b/packages/forms/tests/client.type.test.ts
index 178f1aa..4a30909 100644
--- a/packages/forms/tests/client.type.test.ts
+++ b/packages/forms/tests/client.type.test.ts
@@ -87,8 +87,8 @@ describe('@holo-js/forms client typing', () => {
     const registerUser = schema({
       name: field.string().required(),
       email: field.string().required().email(),
-      password: field.string().required().min(8).confirmed(),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8).confirmed(),
+      passwordConfirmation: field.password().required(),
     })
 
     const client = useForm(registerUser, {
diff --git a/packages/forms/tests/contracts.test.ts b/packages/forms/tests/contracts.test.ts
index dac976d..6b20ade 100644
--- a/packages/forms/tests/contracts.test.ts
+++ b/packages/forms/tests/contracts.test.ts
@@ -71,7 +71,7 @@ describe('@holo-js/forms contracts', () => {
   it('creates form schemas from shapes and validation schemas', () => {
     const direct = schema({
       email: field.string().required().email(),
-      password: field.string().required().min(8),
+      password: field.password().required().min(8),
     })
     const nested = schema(defineSchema({
       profile: {
@@ -231,9 +231,10 @@ describe('@holo-js/forms contracts', () => {
   it('excludes password-like dontFlash fields while preserving transport tokens in serialized failure payloads', async () => {
     const registerUser = schema({
       email: field.string().required().email(),
-      password: field.string().required().min(8),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8),
+      passwordConfirmation: field.password().required(),
       token: field.string().required(),
+      nationalId: field.string().sensitive().required(),
     })
 
     const failure = await validate({
@@ -241,6 +242,7 @@ describe('@holo-js/forms contracts', () => {
       password: 'super-secret',
       passwordConfirmation: 'super-secret',
       token: 'reset-token',
+      nationalId: 'private-id',
     }, registerUser)
 
     expect(failure.valid).toBe(false)
@@ -253,6 +255,7 @@ describe('@holo-js/forms contracts', () => {
       password: 'super-secret',
       passwordConfirmation: 'super-secret',
       token: 'reset-token',
+      nationalId: 'private-id',
     })
     expect(failure.serialize()).toEqual({
       valid: false,
@@ -277,6 +280,45 @@ describe('@holo-js/forms contracts', () => {
         email: ['Invalid email: Received "bad"'],
       },
     })
+    expect(failure.fail({
+      status: 409,
+      errors: {
+        email: ['A user with this email already exists.'],
+      },
+    })).toEqual({
+      ok: false,
+      status: 409,
+      valid: false,
+      values: {
+        email: 'bad',
+        token: 'reset-token',
+      },
+      errors: {
+        email: ['A user with this email already exists.'],
+      },
+    })
+  })
+
+  it('merges failure override errors with existing validation errors', () => {
+    const registerUser = schema({
+      email: field.string().required().email(),
+      token: field.string().required(),
+    })
+    const failure = createFailedSubmission(registerUser, {
+      email: 'bad',
+    }, {
+      email: ['Invalid email.'],
+      token: ['Missing token.'],
+    })
+
+    expect(failure.fail({
+      errors: {
+        email: ['A user with this email already exists.'],
+      },
+    }).errors).toEqual({
+      email: ['A user with this email already exists.'],
+      token: ['Missing token.'],
+    })
   })
 
   it('preserves verification and reset transport tokens while still stripping passwords', () => {
@@ -294,6 +336,39 @@ describe('@holo-js/forms contracts', () => {
     })
   })
 
+  it('does not mutate nested values when sanitizing flashed input', () => {
+    const profileForm = schema({
+      email: field.string().required(),
+      profile: {
+        displayName: field.string().required(),
+        nationalId: field.string().sensitive().required(),
+      },
+    })
+    const values = {
+      email: 'ava@example.com',
+      password: 'secret-secret',
+      profile: {
+        displayName: 'Ava',
+        nationalId: 'private-id',
+      },
+    }
+
+    expect(formsInternals.sanitizeFlashedInput(values, profileForm)).toEqual({
+      email: 'ava@example.com',
+      profile: {
+        displayName: 'Ava',
+      },
+    })
+    expect(values).toEqual({
+      email: 'ava@example.com',
+      password: 'secret-secret',
+      profile: {
+        displayName: 'Ava',
+        nationalId: 'private-id',
+      },
+    })
+  })
+
   it('does not coerce plain form objects with request-like field names into Request inputs', async () => {
     const requestMeta = schema({
       method: field.string().required(),
diff --git a/packages/forms/tests/docs-examples.test.ts b/packages/forms/tests/docs-examples.test.ts
index 23cfefe..626b791 100644
--- a/packages/forms/tests/docs-examples.test.ts
+++ b/packages/forms/tests/docs-examples.test.ts
@@ -7,8 +7,8 @@ describe('@holo-js/forms documented examples', () => {
     const registerUser = schema({
       name: field.string().required().min(3).max(255),
       email: field.string().required().email(),
-      password: field.string().required().min(8).confirmed(),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8).confirmed(),
+      passwordConfirmation: field.password().required(),
     })
 
     const registerFailureRequest = new Request('https://example.com/register', {
@@ -101,7 +101,7 @@ describe('@holo-js/forms documented examples', () => {
   it('covers the documented client login, nested profile, and file upload flows', async () => {
     const loginSchema = schema({
       email: field.string().required().email(),
-      password: field.string().required().min(8),
+      password: field.password().required().min(8),
     })
 
     const login = useForm(loginSchema, {
diff --git a/packages/validation/src/contracts-support.ts b/packages/validation/src/contracts-support.ts
index 0448b73..9231047 100644
--- a/packages/validation/src/contracts-support.ts
+++ b/packages/validation/src/contracts-support.ts
@@ -81,6 +81,13 @@ export function cloneDefinition(definition: FieldDefinition, rule: FieldRule): F
   })
 }
 
+export function markDefinitionSensitive(definition: FieldDefinition): FieldDefinition {
+  return Object.freeze({
+    ...definition,
+    sensitive: true as const,
+  })
+}
+
 export function assertFiniteNumber(value: number, label: string): void {
   if (!Number.isFinite(value)) {
     throw new ValidationContractError(`${label} must be a finite number.`)
@@ -129,12 +136,13 @@ export function normalizeSchemaShape<TShape extends SchemaInputShape>(shape: TSh
   return Object.freeze(Object.fromEntries(normalizedEntries)) as NormalizedSchemaShape<TShape>
 }
 
-export function createField<TOutput>(kind: FieldKind, item?: FieldDefinition): ValidationField<TOutput> {
+export function createField<TOutput>(kind: FieldKind, item?: FieldDefinition, sensitive = false): ValidationField<TOutput> {
   return Object.freeze({
     kind: 'field' as const,
     definition: Object.freeze({
       kind,
       item,
+      ...(sensitive ? { sensitive: true as const } : {}),
       rules: Object.freeze([]),
     }),
   })
diff --git a/packages/validation/src/contracts-types.ts b/packages/validation/src/contracts-types.ts
index c4defa8..3b39b06 100644
--- a/packages/validation/src/contracts-types.ts
+++ b/packages/validation/src/contracts-types.ts
@@ -87,6 +87,7 @@ export interface FieldRule {
 export interface FieldDefinition {
   readonly kind: FieldKind
   readonly rules: readonly FieldRule[]
+  readonly sensitive?: boolean
   readonly item?: FieldDefinition
 }
 
diff --git a/packages/validation/src/contracts.ts b/packages/validation/src/contracts.ts
index a933d22..7e863c9 100644
--- a/packages/validation/src/contracts.ts
+++ b/packages/validation/src/contracts.ts
@@ -35,6 +35,7 @@ import {
   normalizeRequestInput,
   normalizeRule,
   normalizeSchemaShape,
+  markDefinitionSensitive,
   parseByteSize,
   resolveCompiledSchema,
 } from './contracts-support'
@@ -65,6 +66,15 @@ export class ValidationFieldBuilder<TOutput> implements StandardSchemaV1<unknown
     return new ValidationFieldBuilder(nextField)
   }
 
+  sensitive(): ValidationFieldBuilder<TOutput> {
+    const nextField = Object.freeze({
+      ...this.field,
+      definition: markDefinitionSensitive(this.field.definition),
+    }) as ValidationField<TOutput>
+
+    return new ValidationFieldBuilder(nextField)
+  }
+
   required(message?: string): ValidationFieldBuilder<Exclude<TOutput, undefined>> {
     return this.clone<Exclude<TOutput, undefined>>(normalizeRule('required', [], message))
   }
@@ -230,6 +240,9 @@ export const field = Object.freeze({
   string() {
     return new ValidationFieldBuilder<string>(createField('string'))
   },
+  password() {
+    return new ValidationFieldBuilder<string>(createField('string', undefined, true))
+  },
   number() {
     return new ValidationFieldBuilder<number>(createField('number'))
   },
diff --git a/packages/validation/tests/contracts.test.ts b/packages/validation/tests/contracts.test.ts
index 867998e..e7f8cf5 100644
--- a/packages/validation/tests/contracts.test.ts
+++ b/packages/validation/tests/contracts.test.ts
@@ -18,7 +18,8 @@ describe('@holo-js/validation contracts', () => {
     const registerUser = schema({
       name: field.string().required().min(3).max(255),
       email: field.string().required().email(),
-      password: field.string().required().min(8).confirmed(),
+      password: field.password().required().min(8).confirmed(),
+      nationalId: field.string().sensitive().required(),
       newsletter: field.boolean().default(false),
       tags: field.array(field.string().min(1)).optional(),
       profile: {
@@ -33,6 +34,8 @@ describe('@holo-js/validation contracts', () => {
     expect(registerUser['~standard'].vendor).toBe('holo-js')
     expect(typeof registerUser['~standard'].validate).toBe('function')
     expect(registerUser.fields.name.definition.rules.map(rule => rule.name)).toEqual(['required', 'min', 'max'])
+    expect(registerUser.fields.password.definition.sensitive).toBe(true)
+    expect(registerUser.fields.nationalId.definition.sensitive).toBe(true)
     expect(registerUser.fields.tags.definition.item?.kind).toBe('string')
     expect(registerUser.fields.profile.city.definition.kind).toBe('string')
   })
@@ -76,8 +79,8 @@ describe('@holo-js/validation contracts', () => {
       age: field.number().integer().optional(),
       newsletter: field.boolean().default(false),
       tags: field.array(field.string().min(1)).optional(),
-      password: field.string().required().min(8).confirmed(),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8).confirmed(),
+      passwordConfirmation: field.password().required(),
       profile: {
         city: field.string().required(),
       },
@@ -131,8 +134,8 @@ describe('@holo-js/validation contracts', () => {
       name: field.string().required().min(3),
       email: field.string().required().email(),
       age: field.number().integer().optional(),
-      password: field.string().required().min(8).confirmed(),
-      passwordConfirmation: field.string().required(),
+      password: field.password().required().min(8).confirmed(),
+      passwordConfirmation: field.password().required(),
       profile: {
         city: field.string().required(),
       },
@@ -326,7 +329,7 @@ describe('@holo-js/validation contracts', () => {
       email: field.string()
         .required('Email is mandatory.')
         .email('Please enter a valid email address.'),
-      password: field.string()
+      password: field.password()
         .min(8, 'Password must be at least 8 characters.'),
       avatar: field.file()
         .image('Avatar must be an image file.')
@@ -898,7 +901,7 @@ describe('@holo-js/validation coverage completeness', () => {
 
   it('handles confirmed rule failure for missing confirmation field', async () => {
     const passwordSchema = schema({
-      password: field.string().required().confirmed(),
+      password: field.password().required().confirmed(),
     })
 
     const failure = await validate({ password: 'secret123' }, passwordSchema)
diff --git a/scripts/validate-framework-smoke.mjs b/scripts/validate-framework-smoke.mjs
index 7583e01..9ead5a6 100644
--- a/scripts/validate-framework-smoke.mjs
+++ b/scripts/validate-framework-smoke.mjs
@@ -2024,7 +2024,7 @@ function assertAuthSmokePayload(app, payload) {
   assert.equal(payload.social.unverifiedVerifiedEmailPolicyRejected, true)
   assert.equal(payload.social.unverifiedIdentityNotCreated, true)
   assert.equal(payload.social.pkceMismatchRejected, true)
-  assert.equal(payload.social.tokenGuardRejected, true)
+  assert.equal(payload.social.tokenGuardCreatesAccessToken, true)
   assert.equal(payload.social.verificationOptionalSyntheticEmail, true)
 
   assert.equal(payload.workos.missingProviderRejected, true)
diff --git a/tests/example-app-auth-flow.mjs b/tests/example-app-auth-flow.mjs
index 3dd76df..5eeb00f 100644
--- a/tests/example-app-auth-flow.mjs
+++ b/tests/example-app-auth-flow.mjs
@@ -133,6 +133,40 @@ function assertRedirectsTo(result, expectedPath) {
   assert.equal(new URL(location, result.response.url).pathname, expectedPath)
 }
 
+function assertFieldFailure(result, fields) {
+  assert.equal(result.json.ok, false)
+  assert.equal(result.json.valid, false)
+  for (const field of fields) {
+    assert.ok(
+      Array.isArray(result.json.errors?.[field]),
+      `Expected ${field} validation errors.`,
+    )
+  }
+}
+
+function assertThrottleFailure(result) {
+  assert.equal(result.response.status, 429)
+  assert.equal(result.json.ok, false)
+  assert.equal(result.json.valid, false)
+  assert.ok(
+    Array.isArray(result.json.errors?._root),
+    'Expected throttled response to include a root error.',
+  )
+}
+
+function assertSocialRedirect(result, expected) {
+  assert.ok(
+    result.response.status >= 300 && result.response.status < 400,
+    'Expected redirect status in 3xx range.',
+  )
+  const location = result.response.headers.get('location')
+  assert.ok(location, `Expected ${expected.provider} redirect to include a location header.`)
+  const authorizationUrl = new URL(location)
+  assert.equal(authorizationUrl.origin, expected.origin)
+  assert.equal(authorizationUrl.pathname, expected.pathname)
+  assert.ok(authorizationUrl.searchParams.get('state'), `Expected ${expected.provider} redirect to include OAuth state.`)
+}
+
 async function waitForOutputMatch(getOutput, matcher, startIndex = 0, timeoutMs = 10000) {
   const startedAt = Date.now()
 
@@ -166,6 +200,8 @@ export async function assertExampleAppAuthFlow({
   const password = 'secret-secret'
   const nextPassword = 'secret-secret-2'
   const clientIp = `127.0.0.${(Date.now() % 200) + 1}`
+  const throttleLoginIp = `127.0.1.${(Date.now() % 200) + 1}`
+  const throttleRegisterIp = `127.0.2.${(Date.now() % 200) + 1}`
   const requestHeaders = {
     'x-forwarded-for': clientIp,
     'x-real-ip': clientIp,
@@ -206,6 +242,8 @@ export async function assertExampleAppAuthFlow({
 
     const loginPage = await fetchAuthText('/login')
     assert.match(loginPage.text, /Sign in/i)
+    assert.match(loginPage.text, /Continue with Google/i)
+    assert.match(loginPage.text, /Continue with GitHub/i)
     assertGuestNav(loginPage.text)
 
     const forgotPasswordPage = await fetchAuthText('/forgot-password')
@@ -213,12 +251,92 @@ export async function assertExampleAppAuthFlow({
 
     const verifyPromptPage = await fetchAuthText('/verify-email')
     assert.match(verifyPromptPage.text, /Verify your email/i)
+
+    assertRedirectsTo(await fetchAuthText('/admin/posts', {
+      allowFailure: true,
+    }), '/login')
   }
 
   const initialUser = await fetchAuthJson('/api/auth/user')
   assert.equal(initialUser.json.authenticated, false)
   assert.equal(initialUser.json.user, null)
 
+  assertSocialRedirect(await fetchAuthText('/auth/google', {
+    allowFailure: true,
+  }), {
+    provider: 'google',
+    origin: 'https://accounts.google.com',
+    pathname: '/o/oauth2/v2/auth',
+  })
+  assertSocialRedirect(await fetchAuthText('/auth/github', {
+    allowFailure: true,
+  }), {
+    provider: 'github',
+    origin: 'https://github.com',
+    pathname: '/login/oauth/authorize',
+  })
+
+  const missingGoogleCallback = await fetchAuthJson('/auth/google/callback', {
+    allowFailure: true,
+  })
+  assert.equal(missingGoogleCallback.response.status, 400)
+  assert.equal(missingGoogleCallback.json.message, 'Missing OAuth state or code.')
+
+  const missingGithubCallback = await fetchAuthJson('/auth/github/callback', {
+    allowFailure: true,
+  })
+  assert.equal(missingGithubCallback.response.status, 400)
+  assert.equal(missingGithubCallback.json.message, 'Missing OAuth state or code.')
+
+  const badCredentials = await fetchAuthJson('/api/login', {
+    fields: {
+      email,
+      password: 'wrong-password',
+    },
+    headers: {
+      'x-forwarded-for': '127.0.0.224',
+      'x-real-ip': '127.0.0.224',
+    },
+    allowFailure: true,
+  })
+  assert.equal(badCredentials.response.status, 401)
+  assertFieldFailure(badCredentials, ['email', 'password'])
+
+  let throttledLogin
+  const throttledEmail = `${appName}-throttled-login-${Date.now()}@app.test`
+  for (let attempt = 0; attempt < 6; attempt += 1) {
+    throttledLogin = await fetchAuthJson('/api/login', {
+      fields: {
+        email: throttledEmail,
+        password: 'wrong-password',
+      },
+      headers: {
+        'x-forwarded-for': throttleLoginIp,
+        'x-real-ip': throttleLoginIp,
+      },
+      allowFailure: true,
+    })
+  }
+  assertThrottleFailure(throttledLogin)
+
+  let throttledRegister
+  for (let attempt = 0; attempt < 11; attempt += 1) {
+    throttledRegister = await fetchAuthJson('/api/register', {
+      fields: {
+        name: 'No',
+        email: 'not-an-email',
+        password: 'short',
+        passwordConfirmation: 'different',
+      },
+      headers: {
+        'x-forwarded-for': throttleRegisterIp,
+        'x-real-ip': throttleRegisterIp,
+      },
+      allowFailure: true,
+    })
+  }
+  assertThrottleFailure(throttledRegister)
+
   const loggedInVerificationEmail = `${appName}-logged-in-verification-${Date.now()}@app.test`
   const loggedInVerificationOutputStart = getOutput().length
   const loggedInVerificationJar = createCookieJar()
@@ -283,6 +401,32 @@ export async function assertExampleAppAuthFlow({
   )[1]
   assert.ok(verificationToken)
 
+  const invalidVerification = await fetchAuthJson('/api/verify-email', {
+    method: 'POST',
+    fields: {
+      token: `${verificationToken.split('.', 1)[0]}.wrong-secret`,
+    },
+    allowFailure: true,
+  })
+  assert.equal(invalidVerification.response.status, 422)
+  assertFieldFailure(invalidVerification, ['token'])
+
+  const duplicateRegistration = await fetchAuthJson('/api/register', {
+    fields: {
+      name: 'Duplicate Auth Flow User',
+      email,
+      password,
+      passwordConfirmation: password,
+    },
+    headers: {
+      'x-forwarded-for': '127.0.0.225',
+      'x-real-ip': '127.0.0.225',
+    },
+    allowFailure: true,
+  })
+  assert.equal(duplicateRegistration.response.status, 422)
+  assertFieldFailure(duplicateRegistration, ['email'])
+
   const pendingVerificationJar = createCookieJar()
   const unverifiedLogin = await fetchAuthJson('/api/login', {
     fields: {
@@ -330,6 +474,16 @@ export async function assertExampleAppAuthFlow({
   assert.equal(verified.json.ok, true)
   assert.equal(verified.json.data?.redirectTo, '/login')
 
+  const consumedVerification = await fetchAuthJson('/api/verify-email', {
+    method: 'POST',
+    fields: {
+      token: resentVerificationToken,
+    },
+    allowFailure: true,
+  })
+  assert.equal(consumedVerification.response.status, 422)
+  assertFieldFailure(consumedVerification, ['token'])
+
   const authenticatedJar = createCookieJar()
   const loggedIn = await fetchAuthJson('/api/login', {
     fields: {
@@ -478,6 +632,17 @@ export async function assertExampleAppAuthFlow({
   const resetToken = resetTokenMatch[1]
   assert.ok(resetToken)
 
+  const invalidReset = await fetchAuthJson('/api/reset-password', {
+    fields: {
+      token: 'bad-token',
+      password: nextPassword,
+      passwordConfirmation: nextPassword,
+    },
+    allowFailure: true,
+  })
+  assert.equal(invalidReset.response.status, 422)
+  assertFieldFailure(invalidReset, ['token'])
+
   if (checkPages) {
     const resetPage = await fetchAuthText(`/reset-password?token=${encodeURIComponent(resetToken)}`)
     assert.match(resetPage.text, /Reset password/i)
@@ -494,6 +659,17 @@ export async function assertExampleAppAuthFlow({
   assert.equal(resetResult.json.data?.message, 'Password reset successfully. You can sign in with your new password.')
   assert.equal(resetResult.json.data?.redirectTo, '/login')
 
+  const consumedReset = await fetchAuthJson('/api/reset-password', {
+    fields: {
+      token: resetToken,
+      password: nextPassword,
+      passwordConfirmation: nextPassword,
+    },
+    allowFailure: true,
+  })
+  assert.equal(consumedReset.response.status, 422)
+  assertFieldFailure(consumedReset, ['token'])
+
   const oldPasswordLogin = await fetchAuthJson('/api/login', {
     fields: {
       email,